Mutate, copy, destination field name expansion

ffknob · January 23, 2019, 2:51pm

I'm trying to copy a field to a nested one with mutate-copy with a dynamic destination field name being (e. g. not hard coded in the pipeline conf). The thing is, the mutate-copy operation doesn't seens to expand the destination's field name:

mutate {
add_field =&gt; {
"id" =&gt; "NFe%{[origem][procEventoNFe][0][retEvento][0][infEvento][0][chNFe][0]}"
"timestamp" =&gt; "%{[origem][procEventoNFe][0][retEvento][0][infEvento][0][dhRegEvento]}"
"nSeqEvento" =&gt; "%{[origem][procEventoNFe][0][retEvento][0][infEvento][0][nSeqEvento]}"
}
copy =&gt; { "origem" =&gt; "[eventos][%{nSeqEvento}]" }
}

It generates in Elasticsearch the "events" -> "%{nSeqEvento}" structure, and not something like "events" -> "1".

Was that expected?

By the way

Badger · January 23, 2019, 5:07pm

Agreed. The following

input { generator { count => 1 message => '' } }
filter {
    mutate { add_field => { "a" => "b" "s" => 1 } }
    mutate { copy => { "a" => "%{s}" } }
}
output { stdout { codec => rubydebug } }

produces

      "%{s}" => "b"

I did not expect that.

ffknob · January 24, 2019, 12:51pm

I'm actually trying to push objects into a nested field in Elasticsearch... The idea was to use the value of an identifier field to define the key of the nested object ([eventos][%{nSeqEvento}])...

Is there another way to "push" objects into a nested field in ES? Perhaps without having to define an identifier.

ffknob · January 24, 2019, 1:19pm

I managed to work with something like this:

		ruby {
    		code => "
				nSeqEvento = event.get('[nSeqEvento]');
				event.set('[eventos][' + nSeqEvento + ']', event.get('[origem]'))
			"
  		}

system · February 21, 2019, 1:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.