Logstash Mutate Split doesn't work

deadPix3l · July 16, 2018, 10:56pm

I'm stuck with 6.1.1 and cannot upgrade, sorry if this was known and fixed but ive been searching for hours for a workaround.

using something similar to:

filter {
   mutate {
      split => { "dottedField" => '.' }
   }
}

and a field value like this.is.a.dotted.string should produce ["this", "is", "a", "dotted", "string"]

What it actually produces is ["this.is.a.dotted.string"] ie. It does convert it into an array, but it doesn't actually split it. So i get string => array with original string as only element.

Please Help.

Badger · July 16, 2018, 11:57pm

If you run a really simple configuration like this, what do you get?

output { stdout { codec => rubydebug } }
input { generator { count => 1 message => '' } }
filter {
    mutate { add_field => { "dottedField"=> "this.is.a.dotted.field" } }
    mutate { split => { "dottedField" => '.' } } 
}

In 6.3.1 I get an array with five entries.

Is it possible it started out as an array and you should really be using

mutate { split => { "[dottedField][0]" => '.' } }

deadPix3l · July 17, 2018, 5:44pm

Wow. Somehow i missed that.

Kibana shows arrays as comma seperated. only 1 element == no commas == looks like a string.
But the ES API returns a json array. AHA!

This fixed it, Thank You! (and so timely too!)

system · August 14, 2018, 5:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.