Hi,
I am looking to populate the [labels][feed] field (labels is the ECS field) with contents from two separate CSV fields as below. I am hoping to have it as an array.
Is this a correct approach? If not, what would be the way to have different values populate the same field as an array
Expected in Elastic Output:
labels.feed ---> [feed_value1, feed_value2]
No, the translate filter is a no-op if the destination field already exists, unless the overwrite option is enabled, and it that case, as you might expect, it overwrites the existing value.
What you could try (I have not tested it) is to use
Had another question on the similar topic as the docs are not very clear (to me)
What if i have a CSV with multiple values with the first column as the key and the rest of the columns having values that i want to add to various other fields.
What would be the way to use the translate filter for this scenario?
docs states
It is possible to provide multi-valued dictionary values. When using a YAML or JSON dictionary, you can have the value as a hash (map) or an array datatype. When using a CSV dictionary, multiple values in the translation must be extracted with another filter e.g. Dissect or KV.
Note that the fallback is a string so on no match the fallback setting needs to formatted so that a filter can extract the multiple values to the correct fields.
Probably, but I never supply multiple copies of an option to a filter. logstash will combine them, almost always in the way you would expect. But only almost always. Over the years I have seen a couple of cases where it did something really unexpected.
To give a couple of examples of multi-valued dictionaries...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.