Can't find a way to do this with Mutate, so I am attempting it in Ruby, but still failing:
I have two fields:
[log][group] = "panos"
[log][type] = "threat"
Based on these two field values, I want to copy the JSON Object from [labels][group] to a new field [panos][threat], using the values in log.group and log.type, as they can change.
With Mutate:
mutate { add_field => {"[%{[log][group]}][%{[log][type]}]" => "%{[labels][group]}"} }
This results in a JSON String, rather than the nested object structure. So using Ruby:
code => '
mygroup = event.get("[log][group]").to_s
mytype = event.get("[log][type]").to_s
myvalue = event.get("[labels][group]")
event.set("[mygroup][mytype]",myvalue)
'
The last line with event.set - I can't figure out the syntax to reference the two variables to create the nested field.
Ideas?