OK, I did not understand your original complaint. I agree that it is not ideal. This configuration
input { generator { count => 1 lines => [ '' ] } }
filter {
mutate { add_field => { "[details][data][field1]" => "alfa" } }
mutate { add_field => { "[details][data][field2]" => "rOMEO" } }
mutate {
rename => [ "[details][data][field1]", "[new_field1]"]
rename => {
"[details][data][field2]" => "[new_field2]"
}
}
}
output { stdout { codec => rubydebug { metadata => false } } }
Does indeed produce a configuration error
[2021-09-04T12:43:47,459][ERROR][logstash.filters.mutate ] Invalid setting for mutate filter plugin:
filter {
mutate {
# This setting must be a hash
# This field must contain an even number of items, got 3
rename => ["[details][data][field1]", "[new_field1]", ["[details][data][field2]", "[new_field2]"]]
...
However, if you add a second entry to the hash
mutate {
rename => [ "[details][data][field1]", "[new_field1]"]
rename => {
"[details][data][field2]" => "[new_field2]"
"[details][data][field3]" => "[new_field3]"
}
You instead get a runtime error
Exception caught while applying mutate filter {:exception=>"Invalid FieldReference: `[\"[details][data][field2]\", \"[new_field2]\"]`"}
In general, you get an (accidental) configuration error for an odd number of hash entries, and a runtime error for an even number of hash entries.
If we reverse the order of entries in the first case
mutate {
rename => {
"[details][data][field2]" => "[new_field2]"
}
rename => [ "[details][data][field1]", "[new_field1]" ]
we get no exception, but bad data
"details" => {
"data" => {}
},
"" => "alfa",
"new_field2" => "rOMEO",
So merging arrays and hashes is all kinds of broken. You could open an issue on github, but I doubt it will ever get addressed.