Apply elastic plugin on array items

parosio · January 24, 2020, 2:48pm

Hello,
I need to apply a search/translate for a field which optionally contains multiple values:

  event_id;ext_ref;  ... other fields
  "#123";"ref3";  . . . 
  "#244";"ref2|ref7";  . . .

the second field should be split (if it contains '|') and each of the resulting values looked up with elasticsearch plugin to enrich the event with additional fields.

The resulting doc should look like

  _id: "244",
  "_source": {
     "id": "244"
     "ext_ref" : [ "ref2", "ref7" ]
     "elk_fld1" : [ "data for ref2", "data for ref7" ]
     "elk_fld2" : [ "more data for ref2", "more data for ref7" ]
     . . .
 }

Is there any way to iterate over all the elements of ext_ref, other than

if [ext_ref][0] { elasticsearch {  .   .   .  } }
if [ext_ref][1] { . . . }
 . . .
if [ext_ref][n] { . . . }

?

Ramicoh · February 5, 2020, 2:15am

I guess you'll have to use the Ruby plugin and write Ruby code to iterate the collection...

system · March 4, 2020, 2:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use a logstash plugin within iteration Logstash	1	345	November 12, 2020
Ruby Filter to Add Multiple Values to a Field Logstash	3	2333	July 18, 2019
Parsing Logstash Data Logstash	6	740	September 27, 2017
Store multiple values using ruby in multivalue field Logstash	3	423	November 5, 2022
Translate plugin: translate array values/use tag instead of field/use wildcard/regex in field Logstash	3	1137	July 6, 2017

Apply elastic plugin on array items

Related topics