Hello,
Due to the fact that a field is getting interpreted as a single string and attempted to be indexed into Elasticsearch as type ip (and failing due to mapping, rightfully so), I am looking to take values separated by commas, then add them to a mutli-valued field.
For example, I have a field destination_ip_orig with a value of 192.168.1.1,192.168.1.2 that has been pulled using the csv filter.
I would like to make that in to a mutli-valued field called destination_ip with the values of 192.168.1.1 and 192.168.1.2.
Because the number of values can fluctuate from 1 to n, I am using Ruby to iterate through the values, and add them to the multi-valued field.
I have tried:
ruby {
code => "
inputs = event.get('destination_ip_orig').split(',')
for input in inputs
event.set('destination_ip', event.get('destination_ip') + input )
end
"
}
...but I receive an error with regard to array and string conversion, etc.
I have also tried input as [input], and ['input'], but once I do use it that way, it just seems to concatenate the values, instead of adding them as elements to the array.
I think I have been looking at it too long. Is it something simple, or am I over complicating it?
Any help would be appreciated!