Logstash converts singleton array to string

GitSpree23 · August 10, 2021, 9:14am

I'm using

mutate {
    add_field => { "new_field" => ["X"] }
  }

to create an array of integers which can be appended to downstream.

But logstash output reads as "new_field" => "X".

aaron-nimocks · August 10, 2021, 11:37am

This only works if you add more than 1 value. Then it will convert to an array.

mutate {
    add_field => { "new_field" => "x" }
  }

mutate {
    add_field => { "new_field" => "y" }
  }

That will create new_field: [ x, y ]

If you only want to create an array with 1 item then I use Ruby. All you are really doing is setting a new field with a value and wrapping in [ ].

  ruby {
    code => "event.set('new_field', [event.get('old_field')])"
  }

or

  ruby {
    code => "event.set('new_field', ['X'])"
  }

system · September 7, 2021, 11:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Mutate Arrays Logstash	1	58	July 9, 2024
Using "merge" to append a string literal to an array field? Logstash	5	2943	April 5, 2019
Adding field creates an array not a static string Logstash	8	1368	January 7, 2021
Logstash Mutate Split doesn't work Logstash	3	712	August 14, 2018
Add an array using Mutate's add_field Logstash	5	8873	October 29, 2019

Logstash converts singleton array to string

Related Topics