I've tried the split plugin, but I found a bizarre behavior...
filter {
split {
field => "Attribute"
target => "book_bundle"
periodic_flush => "false"
}
}
Which will take my source event, clone it into N new events, where N is the number of members of the Attribute array. The array member will be put into the book_bundle field.
and then I added mutate with gsub option to transform book_bundle field and place it into a book1 .. bookN fields...
The problem here, when my logstash process is running, I find only the first element transformed like I want.. and then when I stop the process I find the rest of array's elements in the output file!
I can't understand this behavior.