Each of my event contains one type of src addr and one type of dst addr.
These variations always produce errors. How do I properly use the coalesce filter in logstash? It isnt clear to me in examples. This is what I've tried, and some variations of them.
alter { coalesce => [ [flow][SourceIP], "%{[netflow][ipv4_dst_addr]}", "%{[netflow][ipv4_dst_addr]}", "%{[ipfix][sourceIPv4Address]}", "%{[ipfix][sourceIPv6Address]}" }
alter { coalesce => [ "[flow][DestinationIP]", [netflow][ipv4_dst_addr], [netflow][ipv6_dst_addr], [ipfix][destinationIPv4Address], [ipfix][destinationIPv6Address] ] }
logstash-filter-alter is installed.