How to get the value of an array using ctx.payload

StephaneRodier · October 15, 2021, 5:09pm

Hello,

Let's say I have the results below in an array of 2:

        "hits": {
          "hits": [
            {
              "_index": "blah-2021.10.01-000003",
              "_type": "_doc",
              "_source": {
                "log.message": "blah blah",
                "log.syslog.severity.code": "1",
                "log.syslog.priority.code": "129",
                "log.syslog.appname": "MS_SI",
                "log.hostname": "xxx",
                "host.hostname": "yyy",
                "process.pid": "5619",
                "host.type": "xxx",
                "log.syslog.tag": "MS_SI[5619]",
                "log.syslog.facility.name": "local0",
                "@timestamp": "2021-10-05T16:30:35.982Z",
                "log.syslog.structured-data": "-",
                "@version": "1",
                "source.ip": "1.1.1.1",
                "log.syslog.severity.name": "alert",
                "log.code": "0X50000000",
                "log.syslog.priority.name": "local0.alert",
                "log.original": "blah blah 2",
                "log.syslog.facility.code": "16",
                "log.syslog.version": "1"
              },
              "_id": "fSC_VnwBcyUX2n9Drmuo",
              "_score": 21.817675
            },
            {
              "_index": "blah-2021.10.01-000003",
              "_type": "_doc",
              "_source": {
                "log.message": "blah blah",
                "log.syslog.severity.code": "1",
                "log.syslog.priority.code": "129",
                "log.syslog.appname": "MS_SI",
                "log.hostname": "xxxx",
                "host.hostname": "xxxx",
                "process.pid": "5619",
                "host.type": "xxx",
                "log.syslog.tag": "MS_SI[5619]",
                "log.syslog.facility.name": "local0",
                "@timestamp": "2021-10-07T05:00:07.890Z",
                "log.syslog.structured-data": "-",
                "@version": "1",
                "source.ip": "2.2.2.2",
                "log.syslog.severity.name": "alert",
                "log.code": "0X50000000",
                "log.syslog.priority.name": "local0.alert",
                "log.original": "blah blah 2",
                "log.syslog.facility.code": "16",
                "log.syslog.version": "1"
              },
              "_id": "EisfWXwBBYtMJzigfHlV",
              "_score": 21.817675
            },
		]

I am able to extract the _source, but nothing under _source. For example, if I want this specific field: log.hostname, what would I need to do?

Example:
with

ctx.payload.hits.hits.0._source

I can get the first ID in the array

{log.message=blah blah, log.syslog.severity.code=1, log.syslog.priority.code=129, log.syslog.appname=MS_SI, log.hostname=xxx, host.hostname=yyy, process.pid=5619, host.type=xxx, log.syslog.tag=MS_SI[5619], log.syslog.facility.name=local0, @timestamp=2021-10-07T05:24:47.870Z, log.syslog.structured-data=-, @version=1, source.ip=1.1.1.1, log.syslog.severity.name=alert, log.code=0X50000000, log.syslog.priority.name=local0.alert, log.original=blah blah 2, log.syslog.facility.code=16, log.syslog.version=1}.

But this returns nothing:

ctx.payload.hits.hits.0._source.log.hostname

StephaneRodier · October 15, 2021, 8:19pm

Hello, I just found in another topic that Mustache does not like "." in the variables and a transformation is required as described below

system · November 12, 2021, 8:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.