So, I'm scratching my head here. After exhaustive Googling I just don't know why this apparently simple function isn't working for me. Here is the filter/mutate code.
Using the output ruby codec, I get the following value for temp:
"temp" => "poc-pymsa-exceptions-log",
According to the 6.2 documentation, the "temp" field should be converted to an array : ['poc', 'pymsa', 'exceptions', 'log'] AND I should be able to access the array elements [temp][0] or [temp][2].
But its just not working. Any help is most appreciated
Thanks,
This is because LS only executes the add_field, remove_field, add_tag and remove_tag operations as the last thing a filter does to a given event. That is, the filters primary operations occur before the add|remove_field|tag operations (internally we call them decorations).
The reasoning here is that many filters have a conditional execution of decorations such that fields tags are only manipulated on successful execution of the filters main operation. Think grok, date, dissect, kv etc. However, as mutate is a multifunctional filter, there is no notion of overall success and so it executes the decorate functions unconditionally, but at the end.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.