Set a nested field with a variable

dwatbmc · December 9, 2020, 3:46pm

Can't find a way to do this with Mutate, so I am attempting it in Ruby, but still failing:

I have two fields:
[log][group] = "panos"
[log][type] = "threat"

Based on these two field values, I want to copy the JSON Object from [labels][group] to a new field [panos][threat], using the values in log.group and log.type, as they can change.

With Mutate:

mutate {  add_field => {"[%{[log][group]}][%{[log][type]}]" => "%{[labels][group]}"} }

This results in a JSON String, rather than the nested object structure. So using Ruby:

code => '
                    mygroup = event.get("[log][group]").to_s
                    mytype = event.get("[log][type]").to_s
                    myvalue = event.get("[labels][group]")
                    event.set("[mygroup][mytype]",myvalue)
                '

The last line with event.set - I can't figure out the syntax to reference the two variables to create the nested field.

Ideas?

dwatbmc · December 9, 2020, 4:00pm

Found my own answer. For anyone else, the correct syntax:

event.set("[#{mygroup}][#{mytype}]",myvalue)

system · January 6, 2021, 4:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter mutate add_field to create a nested field Logstash	2	201	April 10, 2024
Append nested variable's value to a string Logstash	7	1074	November 5, 2021
Access nested fields in mutate filter Logstash	5	22896	July 6, 2017
Best way to set a field value to be a (json) object? Logstash	3	5220	February 22, 2019
Error creating new field with the valu of a nested field Logstash	4	241	May 3, 2022

Set a nested field with a variable

Related topics