Correct way to access nested fields in logstash filters

leandrojmp · May 23, 2018, 2:31pm

Hello,

The documentation says that to access nested fields you need to use the format [parent][child], but the format [parent.child] also works.

I started to use [parent.child] after some tests on version 5.4 where, for some reason maybe not related to the field name, the format [parent][child] was not working.

Now I have a few fields and filters where I use [parent.child] without any problem.

My question is: Should I change it to [parent][child] or could I keep using [parent.child], which looks better in my opinion

A example of my use is:

    if [device.model] == "MODEL" {
        translate {
                field => "rule.policy"
                destination => "rule.policy"
                override => true
                dictionary_path => ["/etc/logstash/dict/dict-rules.yml"]
                refresh_interval => "900"
        }
    }

If I change it to [parent][child] as show bellow, it will work without any problem?

    if [device][model] == "MODEL" {
        translate {
                field => "[rule][policy]"
                destination => "[rule][policy]"
                override => true
                dictionary_path => ["/etc/logstash/dict/dict-rules.yml"]
                refresh_interval => "900"
        }
    }

leandrojmp · May 23, 2018, 3:57pm

Oh, I've just made a confusion.

The fields aren't really nested, they are objects, that's why the [parent][child] did not worked when I tried, the field name was parent.child.

Badger · May 23, 2018, 4:06pm

Having . in a field name works, except where it does not work (and there are definitely places where it doesn't). I believe it is unsupported.

system · June 20, 2018, 4:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.