Store multiple values using ruby in multivalue field

bertr · October 7, 2022, 10:41am

By nature all fields in elasticsearch are multivalue-enabled, i.e. they can have multiple values in one document. Using mutate filter it is easy to add multiple values, but I need to use ruby. I am trying to add multiple values using the logstash ruby even API, but only the last value added is kept, basically overwriting previous values.

Example:

event.set(field, 1);
event.set(field, 2)

I was hoping that field would contain 1 and 2 as values, but only value 2 is kept. Is there another event API call (append?) that can do this?

Badger · October 7, 2022, 4:19pm

You would need an if-else similar to the ruby implementation of mutate+add_field.

bertr · October 8, 2022, 1:40pm

Perfect, thanks!

The following works like a charm:

arrayfield=[]
arrayfield.push(1)
arrayfield.push(2)
event.set(field, arrayfield)

Now field contains two values: 1 and 2

system · November 5, 2022, 1:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.