Hello,
I created aggregate filter.
Hi
The aggregate{} filter generates a new empty event, you have to map any fields you need from the original event to the new event, just like you already do with constants or message. Try to do the same with your TEST.
Hope this helps.
Hello, thank you for your reply. I tried it, but I prefer to have TEST in header because I would like to add aggregate filter to existing index.
I don´t want change header index structure so much. I wanted to add new field constant with nested values. Maybe I can do it different way, but I don´t know why. 
Kattie
Hi
Maybe I misunderstood your question. You mentioned in your original post that you want to obtain an output like this:
"@version" => "1",
"@timestamp" => 2020-02-21T08:40:53.121Z,
"message" => "a'a';b'b'\r",
"TEST" => "TEST",
"constants" => [
[0] {
"constant_clear" => [
[0] "a"
],
"constant" => [
[0] "a"
],
},
[1] {
"constant_clear" => [
[0] "b"
],
"constant" => [
[0] "b"
],
}
],
To achieve it you would add to your filter a line like this:
map['TEST'] ||= event.get('TEST')
Is this what you need?
OMG, you are right. Thank you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.