Store multiple values using ruby in multivalue field

bertr · October 7, 2022, 10:41am

By nature all fields in elasticsearch are multivalue-enabled, i.e. they can have multiple values in one document. Using mutate filter it is easy to add multiple values, but I need to use ruby. I am trying to add multiple values using the logstash ruby even API, but only the last value added is kept, basically overwriting previous values.

Example:

event.set(field, 1);
event.set(field, 2)

I was hoping that field would contain 1 and 2 as values, but only value 2 is kept. Is there another event API call (append?) that can do this?

Badger · October 7, 2022, 4:19pm

You would need an if-else similar to the ruby implementation of mutate+add_field.

bertr · October 8, 2022, 1:40pm

Perfect, thanks!

The following works like a charm:

arrayfield=[]
arrayfield.push(1)
arrayfield.push(2)
event.set(field, arrayfield)

Now field contains two values: 1 and 2

system · November 5, 2022, 1:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ruby Filter to Add Multiple Values to a Field Logstash	3	2333	July 18, 2019
How to add all field values in a single field? Logstash	3	502	October 13, 2021
Json field parsing , multi value field Logstash	11	2113	October 11, 2017
Adding multiple values to an array Logstash	20	3832	March 14, 2022
External Ruby, more than one value in a hash Logstash	4	479	January 20, 2021

Store multiple values using ruby in multivalue field

Related topics