Badger, I finally understood what you were saying and it works perfect, thanks for helping me out. I've searched through the forums and read through the documentation and nowhere did I come across anything that refers to a literal return.
Here is my final filter:
filter {
mutate {
copy => { "message" => "message_head" }
}
mutate {
split => ["message_head", "
"]}
mutate {
replace => { "message_head" => "%{message_head[0]}" }
}
}
And a sample result:
"message_head": "An account was logged off."