Combine two fields into one via add_fields

bascht · February 5, 2021, 8:57pm

Hey everyone.

I am trying to achieve something seemingly simple but cannot get this to work with the latest Filebeat 7.10:

I want to combine the two fields foo.bar and foo.baz into a single new field that just joins the strings.

so { foo.bar: "x", foo.baz: "y" }

will become: { new: "combine-x-y" }

My processor:

processors:
 - add_fields:
      when.has_fields: ["foo.bar", "foo.baz"]
      fields:
        new: "combine-${data.foo.bar}-${data.foo.baz}"

which will result in:

Exiting: error initializing processors: fail to unpack the add_fields configuration: missing field accessing 'processors.2.add_fields.fields.new'

I tried all different interpolation styles (%{[]} or ${foo} instead of ${data.foo}) but none of them worked.

Am I missing something obvious?

shaunak · February 5, 2021, 10:26pm

Hi @bascht, welcome to the Elastic community forums!

I don't believe this is possible. You may want to look into the Script Processor instead.

Shaunak

bascht · February 6, 2021, 12:48pm

Interesting, thanks for the hint! It looks quite complex but I'm gonna give it a try!

system · March 6, 2021, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.