Hello all,
I have a field which is an array and I would like to keep only the last element and put it into a new field.
"data": {
"path": [
1111,
2222,
3333
]
I tried to copy data.path into a new field and use gsub to keep only the last one.
According Logstash logs. it seems that we cannot apply gsub on array.
[2022-05-10T17:02:41,062][WARN ][logstash.filters.mutate ][network-processing][376475260c6f8b36d68ccab991531238e7cf73a095a8a804165da9eaac7a6de5] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[as][origin]", :value=>1111}
[2022-05-10T17:02:41,063][WARN ][logstash.filters.mutate ][network-processing][376475260c6f8b36d68ccab991531238e7cf73a095a8a804165da9eaac7a6de5] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[as][origin]", :value=>2222}
[2022-05-10T17:02:41,063][WARN ][logstash.filters.mutate ][network-processing][376475260c6f8b36d68ccab991531238e7cf73a095a8a804165da9eaac7a6de5] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[as][origin]", :value=>3333}
I tried also to convert the new field into a string but still the same error.
mutate {
copy => { "[data][path]" => "[data][new_field]" }
}
mutate {
convert => { "[data][new_field]" => "string" }
gsub => [ "[data][new_field]", ".*\ ", "" ]
}
I have the feeling that I'm not on the good way to achieve it.
Do someone has an idea how to proceed ?
Thank you,
Regards,
zid57