I've found a few threads online discussing this but what my situation requires is more complex. Basically I have a array data field called target, where in most of the cases in my feeds it just consists of 1 element but the rest are nested ( > 2 elements).
An example of its nested syntax: "target": ["A - B", "P - Q", "X - Y"]
What I would like to achieve is to split each element by the dash (-) and thereafter push each first half into a new field called "main" and and the second half into another new field called "sub".
Final desired output:
The field "main" should consist of A, P and X and the field "sub" should consist of B, Q and Y.
My code right now that doesn't completely work:
if [target] {
mutate {
split => {
"target" => "-"
}
}
mutate {
add_field => {
"main" => "%{[target][0]}"
"sub" => "%{[target][1]}"
}
}
}
Anyone knows how to accomplish this? I know ruby filters are definitely required as well but I do not know how to write them.