Hello,
I try to parse a CEF event with logstash with this mutate:
mutate {
split => {"message" => "|"}
add_field => { "cef_sig_name" => "%{message[5]}" }
add_field => { "cef_extension" => "%{message[7]}"}
}
I get each time a _mutate_error tag because mutate cannot access to message [5] and message[7].
I think split don't convert string to array but only replace my | by , ... So the error seems "normal".
Do you have an idea why logstash cannot convert message to array ?
I try several mutate, use a temporary field, change array access...
No idea how to resolve this 
Thank you for your help.