Aggregate Filter mapping

Hello everyone!
I am trying to understand this behaviour with the map field syntax in the aggregate filter. In the code below, if I keep the field name as 'syntaxOddity', no data is copied over. But if I change the field name to 'syntaxoddity', it works just fine. This filter is being run after a jdbc input with a sql that has a field aliased to syntaxOddity

filter {
  aggregate {
        task_id => "%{id}"
        code => "
            map['syntaxOddity'] = event.get('syntaxOddity')
        "
        push_previous_map_as_event => true
        timeout => 60
  }

Any thoughts?

If you use

output { stdout { codec => rubydebug } }

what does the field you are trying to add to the map look like?

I see out with field name like 'syntaxoddity'. Not sure whats going on here. I have an index template that defines the field as 'syntaxOddity'. Weird enough, logstash seems to be adding one more field to the index mapping in all lower case. I must be missing something basic here.
The jdbc filter has a query that has aliased all fields in camel case.

select emp.syntax_oddity syntaxOddity  from ....

Those field names are used in the agg filter as well as in the index template. I verified that the template is created properly and is applied to the index.

"syntaxOddity  " : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },

Still logstash adds more fields in lower case.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.