Create field depending on array index value

No_Executable · March 15, 2018, 12:41pm

What I want to do is depending on the ID, array index 0, is to instead put the ID label, array index 1 into the new field Command.

My current filter config looks like this:

filter {
    xml {
        source => 'message'
        target => 'doc'
    }
    mutate {
        remove_field => 'message'
        split => {"[doc][Message]" => "	"}
    }
    if "%{[doc][Message][0]}" == "3D3D3D3D3D" {
        mutate {
            add_field => [ "Command", "%{[doc][Message][1]}" ]
        }
    }
    else {
        mutate {
            add_field => [ "Command", "%{[doc][Message][0]}" ]
        }
    }
}

If index 0 is 3D3D3D3D3D I want to instead pull up the command label which is at index 1.

As it is now it just continues with the else and puts 3D3D3D3D3D in the Command field.

Badger · March 15, 2018, 1:05pm

That should be

if [doc][Message][0] == "3D3D3D3D3D" {

No_Executable · March 15, 2018, 1:23pm

So close, yet so far.

Thanks!

system · April 12, 2018, 1:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.