I am trying to set an event with multiple records in an array as follows
ruby {
code => "
begin
event.set('[fieldname][0]', 'This is record 0')
event.set('[fieldname][1]', 'This is record 1')
end"
}
Then I am trying to split that into two separate documents
split {
field => '[fieldname]'
}
This doesn't give me an error but it doesn't split the field either.
What does the resulting event look like then? Use a stdout { codec => rubydebug } output.
I'd use
event.set('fieldname', ['Record 0', 'Record 1'])
to create an array field.
That works well. How can I add fields to that array on multiple lines? Something like
event.set('fieldname', ['Record 0',])
event.set('fieldname', ['Record 1',])
Obviously the problem with this is that the second line just overwrites the first.
I also tried
event.set('fieldname', ['Record 0',])
event.set('fieldname', [event.get(fieldname), 'Record 1'])
That just nests the first record further.
event.set('fieldname', event.get(fieldname) + ['Record 1'])Brilliant. Thank you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.