I have the following logstash snippet:
elseif [Properties][Telemetry] {
mutate {
update => { "logtype" => "telemetry" }
add_field => {
"key" => "%{[Properties][Telemetry][Key]}"
"value" => "%{[Properties][Telemetry][Value]}"
"component" => "%{[Properties][Component]}"
"test_tags" => "%{[Properties][Telemetry][Tags]}"
#"test_tags" => "hello, yello"
}
}
mutate {
split => { "test_tags" => "," }
}
mutate {
strip => [ "test_tags" ]
}
mutate {
add_tag => [ "telemetry" ]
add_tag => [ "%{test_tags}" ]
}
mutate {
remove_field => "Properties"
lowercase => [ "key" ]
}
}
The value of [Properties][Telemetry][Tags] is a comma-separated list, and I want each item to end up in "tags" as a separate item. Using split I'm able to get "test_tags" to show up as an array, but no matter what I do I can't seem to add each item of that field to tags using add_tags. Any suggestion welcome! Sample output of my current filter:
{
"Level" => "Information",
"@version" => "1",
"@timestamp" => "2017-02-01T17:59:33.842Z",
"source" => "C:\\Logstashtest\\logs\\Services.Metadata.MessageHandler-20170201.txt",
"fields" => nil,
"offset" => 2780,
"type" => "log",
"input_type" => "log",
"count" => 1,
"beat" => {
"hostname" => "DESKTOP-5E16B28",
"name" => "DESKTOP-5E16B28"
},
"tags" => [
[0] "win2012r2",
[1] "beats_input_codec_json_applied",
[2] "telemetry",
[3] "channel:nrk,channel:123,message:AddAssets"
],
"host" => "DESKTOP-5E16B28",
"logtype" => "telemetry",
"hour" => "17",
"computername" => "WM14",
"messagelevel" => "Information",
"key" => "assetsrecievedonbus",
"value" => 6,
"component" => "Services.Metadata.MessageHandler",
"test_tags" => [
[0] "channel:nrk",
[1] "channel:123",
[2] "message:AddAssets"
]
}