Adding an array of events even if there is only one

ylevaill · January 22, 2024, 5:27pm

Hello,

I use this filter :

json {
      source => "message"
      add_field => { "[events][id]" => "%{_id}" }
      add_field => { "[events][nom]" => "%{eventName}" }
      add_field => { "[events][timestamp]" => "%{timestamp}" }
      add_field => { "[events][typeEv]" => "RESSOURCE" }
   }

And I get :
"events" => {
"nom" => " ACCESS-OUTCOME ",
"typeEv" => "RESSOURCE",
"timestamp" => "2024-01-22T10:02:04.713Z ",
"id" => " e3ee9f3a-e2444"
},
But what i want is that :
"events" => [ {
"nom" => "ACCESS-OUTCOME ",
"typeEv" => "RESSOURCE",
"timestamp" => "2024-01-22T10:02:04.713Z ",
"id" => " e3ee9f3a-e244"
} ],
Have you an idea how to get this ?

strawgate · January 23, 2024, 12:07am

This was asked in the elasticsearch section but that config looks like a logstash config.

There was a similar question asked a couple of years ago and I believe the recommendation was to drop down to a Ruby filter to achieve this behavior

system · February 20, 2024, 12:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.