Hi, I'm trying to figure out the logstash filter syntax for mutate to add tags (using add_tag) to an event coming from a couchdb_changes feed where the tags need to come from a document attribute that is, itself, an array (coincidentally called tags).
The logstash configuration file looks something like this (edited for brevity and security)
input {
couchdb_changes {
host => "couch"
port => "5984"
db => "test"
codec => "json"
}
}
filter {
#some document attributes are turned into event attributes
mutate {
add_field => { "doc_id" => "%{[@metadata][_id]}" }
add_field => { "title" => "%{[doc][name]}" }
add_field => { "description" => "%{[doc][description]}" }
}
# several fields are used to add tags like this
if [doc][somekey] {
mutate { add_tag => [ "somekey" ] }
}
# How to add all the values in the doc.tags array as tags to the event?
# we don't want to store the whole doc in elasticsearch because its big.
mutate { remove_field => [ "doc" ] }
}
output {
stdout { codec => "rubydebug" }
elasticsearch {
hosts => "elasticsearch:9200"
document_id => "%{[@metadata][_id]}"
document_type => "%{[@metadata][type]}"
}
}
As noted, the couchdb document has an attribute called 'tags' which is an array of string values. I would like to add each of these values to the event using add_tag but I cannot figure out the syntax for doing so.
I have tried something like this:
mutate {
add_field => { "tags" => "%{[doc][tags]}" }
split => { "tags" => "," }
}
before using add_tag elsewhere but if tags is an empty array or has just one element, then tags in the event becomes a string and other values get string-concatenated to it.
I also tried
mutate {
add_tag => [ "%{[doc][tags]}" ]
}
which adds all the tags as a single comma-separated entry in the tags array, after which I tried using split but that didn't seem to fix it.
Any help on syntax here would be appreciated.