Combine two fields into one via add_fields

bascht · February 5, 2021, 8:57pm

Hey everyone.

I am trying to achieve something seemingly simple but cannot get this to work with the latest Filebeat 7.10:

I want to combine the two fields foo.bar and foo.baz into a single new field that just joins the strings.

so { foo.bar: "x", foo.baz: "y" }

will become: { new: "combine-x-y" }

My processor:

processors:
 - add_fields:
      when.has_fields: ["foo.bar", "foo.baz"]
      fields:
        new: "combine-${data.foo.bar}-${data.foo.baz}"

which will result in:

Exiting: error initializing processors: fail to unpack the add_fields configuration: missing field accessing 'processors.2.add_fields.fields.new'

I tried all different interpolation styles (%{[]} or ${foo} instead of ${data.foo}) but none of them worked.

Am I missing something obvious?

shaunak · February 5, 2021, 10:26pm

Hi @bascht, welcome to the Elastic community forums!

I don't believe this is possible. You may want to look into the Script Processor instead.

Shaunak

bascht · February 6, 2021, 12:48pm

Interesting, thanks for the hint! It looks quite complex but I'm gonna give it a try!

system · March 6, 2021, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
The "fields" property only works with the dictionary type Beats filebeat	3	582	October 4, 2018
Is it possible to interpolate a field's value in a string? Beats filebeat	2	504	April 9, 2021
Beats - Define field type with add_fields processor in *beat.yml? Beats	2	815	March 18, 2020
Beats fields.yml and multi-fields Beats	6	765	June 19, 2018
Add_field doesn't work Logstash	13	1368	October 24, 2018