Mutate, copy, destination field name expansion

Elastic Stack Logstash
1

I'm trying to copy a field to a nested one with mutate-copy with a dynamic destination field name being (e. g. not hard coded in the pipeline conf). The thing is, the mutate-copy operation doesn't seens to expand the destination's field name:

mutate {
add_field => {
"id" => "NFe%{[origem][procEventoNFe][0][retEvento][0][infEvento][0][chNFe][0]}"
"timestamp" => "%{[origem][procEventoNFe][0][retEvento][0][infEvento][0][dhRegEvento]}"
"nSeqEvento" => "%{[origem][procEventoNFe][0][retEvento][0][infEvento][0][nSeqEvento]}"
}
copy => { "origem" => "[eventos][%{nSeqEvento}]" }
}

It generates in Elasticsearch the "events" -> "%{nSeqEvento}" structure, and not something like "events" -> "1".

Was that expected?

By the way

2

Agreed. The following

input { generator { count => 1 message => '' } }
filter {
    mutate { add_field => { "a" => "b" "s" => 1 } }
    mutate { copy => { "a" => "%{s}" } }
}
output { stdout { codec => rubydebug } }

produces

      "%{s}" => "b"

I did not expect that.

3

I'm actually trying to push objects into a nested field in Elasticsearch... The idea was to use the value of an identifier field to define the key of the nested object ([eventos][%{nSeqEvento}])...

Is there another way to "push" objects into a nested field in ES? Perhaps without having to define an identifier.

4

I managed to work with something like this:

		ruby {
    		code => "
				nSeqEvento = event.get('[nSeqEvento]');
				event.set('[eventos][' + nSeqEvento + ']', event.get('[origem]'))
			"
  		}
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.