Create array with only one element

Hi,

I'm trying to create an array with only one element, so that I can add more elements to it later with elasticsearch action update and script.

When adding an array with two elements like this:
filter {
mutate {
add_field => {"path2" => ["%{path}","5"]}
}
}

I get an array element in elasticsearch like this:
"path2": [
"/path/to/my/file.txt",
"5"
]

But if I remove the "5" and write it like this:
add_field => {"path2" => ["%{path}"]}
I get a "path2" entry in elasticsearch which is not an array:
"path2":"/path/to/my/file.txt"

How can I create an array with only one element in it so that I can add elements to that array later?

ruby { code => 'event.set("path2", [ event.get("path") ])' }

Thanks a lot! That worked perfectly.
Is it only possible to add an array with just one element through ruby code? Or is there a way to solve this without having to use the ruby filter plugin?

In case someone is trying to do the same as I do here's my full logstash config:

input {
    file {
        path => "/path/to/my/files/**/*.*"
    }
}

filter {
    grok {
	    #to match a csv file with two elements
        match => { "message" => "%{GREEDYDATA:field1}[;:]%{GREEDYDATA:field2}" }
    }
    ruby { code => 'event.set("path", [ event.get("path") ])' }

    fingerprint {
        method => "SHA1"
        concatenate_sources => "true"
        source => ["field1","field2"]
        key => ""
        target => "[@metadata][fingerprint]"
    }
}

output {
    elasticsearch {
        hosts => "http://elasticsearch:9200"
        document_id => "%{[@metadata][fingerprint]}"
        index => "test-duplicate"
        action => "update"
        doc_as_upsert => "true"
        script => 'ctx._source.path.add("%{path}");'
    }
}

This config will update "path" with an array of elements where the combination of field1 and field2 are duplicate with something that's already saved in elasticsearch.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.