HTTP Filter With Array

I have a field, assigned_to_current, that occasionally contains an array of values. I want to pass each of these values to the HTTP filter and then have it replace each value with the http result value. I guess like the translate filter...but with an API call. Below is what I am doing with the field and it works great with single values. How can I adapt this to work with a field that may contain an array of values?

  if [assigned_to_current] and [assigned_to_current] != "" and [assigned_to_current] != "guest" {
    http {
      headers => {
        "Authorization" => "12345"
        "Content-Type" => "application/json"
      }
      verb => "GET"
      url => "https://example.com/api/sys_user/%{[assigned_to_current]}"
      target_body => assigned_to_lookup
    }
    mutate { replace => { "assigned_to_current" => "%{[assigned_to_lookup][result][user_name]}" } }
  }
  else if ![assigned_to_current] or [assigned_to_current] == "" { mutate { replace => { "assigned_to_current" => "unassigned" } } }

If there is a very limited number of entries in the array you could duplicate the section and replace [assigned_to_current] with [assigned_to_current][0] in one duplicate and [assigned_to_current][1] in the other. Otherwise you could use a split filter to break the array into multiple events. Otherwise, use a ruby filter with .each and implement the HTTP call yourself.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.