I'm using
mutate {
add_field => { "new_field" => ["X"] }
}
to create an array of integers which can be appended to downstream.
But logstash output reads as "new_field" => "X".
This only works if you add more than 1 value. Then it will convert to an array.
mutate {
add_field => { "new_field" => "x" }
}
mutate {
add_field => { "new_field" => "y" }
}
That will create new_field: [ x, y ]
If you only want to create an array with 1 item then I use Ruby. All you are really doing is setting a new field with a value and wrapping in [ ].
ruby {
code => "event.set('new_field', [event.get('old_field')])"
}
or
ruby {
code => "event.set('new_field', ['X'])"
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.