I have logs with variable field names. For example:
{"field_one":"first", "field_two":"second"}
("field_two":"second", "field_three": "third"}
To get the correct index mapping, I currently I use:
mutate {
add_field => {
"[field][one]" => "%{field_one}"
"[field][two]" => "%{field_two}"
"[field][three]" => "%{field_three}"
}
}
This works, but I get the following indexed events:
[field][one] : "first", [field][two]: "second", [field][three]: "%{field_three}"
[field][one]: "%{field_one}", [field][two]: "second", [field][three]: "third"
If a value is not present in the event, then the value for the added field is just "%{value}". Is there a cleaner way to do this without adding an if statement to every single field added?