Apply elastic plugin on array items

parosio · January 24, 2020, 2:48pm

Hello,
I need to apply a search/translate for a field which optionally contains multiple values:

  event_id;ext_ref;  ... other fields
  "#123";"ref3";  . . . 
  "#244";"ref2|ref7";  . . .

the second field should be split (if it contains '|') and each of the resulting values looked up with elasticsearch plugin to enrich the event with additional fields.

The resulting doc should look like

  _id: "244",
  "_source": {
     "id": "244"
     "ext_ref" : [ "ref2", "ref7" ]
     "elk_fld1" : [ "data for ref2", "data for ref7" ]
     "elk_fld2" : [ "more data for ref2", "more data for ref7" ]
     . . .
 }

Is there any way to iterate over all the elements of ext_ref, other than

if [ext_ref][0] { elasticsearch {  .   .   .  } }
if [ext_ref][1] { . . . }
 . . .
if [ext_ref][n] { . . . }

?

Ramicoh · February 5, 2020, 2:15am

I guess you'll have to use the Ruby plugin and write Ruby code to iterate the collection...

Topic		Replies	Views
Use a logstash plugin within iteration Logstash	1	367	November 12, 2020
Append values to array field Logstash	3	4040	December 12, 2018
Translate return multiple fields Logstash	12	3159	July 6, 2017
Storing value and attaching it later Logstash	3	401	April 18, 2021
How to iterate through several elements and create a new field with the content of each element Logstash	3	454	February 18, 2020

Apply elastic plugin on array items

Related topics