Hi, I'm using logstash as a method posting tickets into our ticketing system using data from an elasticsearch index. The API for out ticketing system expects all of the custom fields for our ticket to come through as an array, I am currently creating this array using the ruby filter, like so:
ruby {
code => '
event.set("[ticket][custom_fields]", [
{"id" => "12345", "value" => event.get("[field1]")},
{"id" => "678910", "value" => event.get("[field2]")},
{"id" => "109876", "value" => event.get("[field3]")},
{"id" => "54321", "value" => event.get("[field3]")},
{"id" => "99999", "value" => event.get("[field4]")},
{"id" => "11111", "value" => event.get("[field5]")}
])
'
}
Here's where my issue lies, while there are some custom fields that I'm going to want to populate for every single event, there are others that I only want to populate under certain conditions. So is there some way for me to, when that condition is true, append an additional entry into the array?
I thought I might be able to do something like
event.set("[ticket][custom_fields]", event.get("[ticket][custom_fields]") + {"id" => "55555", "value" => event.get("[new_field]")}
but that would append the new item on after the closing ']' so I don't think that would work. Does the ruby filter in logstash perhaps support some kind of push function? That's what would make the most sense to me (assuming it exists) but couldnt find any examples online of someone trying to do the same thing that I am trying to do.
Of course what I could do is just have it so if the condition is true, i could just completely overwrite the entire [ticket][custom_fields] object with all the fields that I want added under that condition. However, there are multiple different situations where I would want to add specific fields under specific conditions, and if I wanted to go down that route it would require mountains of duplicated code and just become increasingly hard to maintain.
Anyone have any ideas? Thanks in advance!