The syslog patterns parse into the message field which causes the message field to become an array.
I would like to add a new field with mutate which uses as it's value the content of message[1] although I'm getting issues. Note that message[0] contains the original message.
mutate { # Logstash syslog patterns parse into the message field therefore move into seperate field.
add_field => [ 'text' => "%{message}[1]"]
}If you set overwrite => ["message"] for the grok filter it'll overwrite the original value instead of creating an array. If you really want to save the original field value (useful if you ever want to reindex but otherwise rather pointless) you can rename message prior to the grok filter (and then you don't need the override option).
add_field => [ 'text' => "%{message}[1]"]
You're mixing syntaxes. Pick one of:
add_field => ['text', "%{message}[1]"]
add_field => { 'text' => "%{message}[1]" }
Thanks Magnus although I did the following:
ruby { code => "event['text'] = event['message'][1]" }
You meant overwrite => ["message"]
You meant
overwrite => ["message"]
Yes indeed—thanks! I've edited the original post.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.