Hello All,
What is the best way to rename a nested field?
I would like to do the following:
if [filed][subfield]
rename it to [field]
Would it make sense to add a temporary field with the value of the original, drop the original then rename the temporary or is there a better way?
Any help appreciated,
Does this make sense?
filter{
if 'filebeat' in [tags] or 'beats_input_codec_plain_applied' in [tags] {
if [name] in [host] {
mutate {
add_field => { "host_name" => %{[host][name]} }
}
drop {
remove_field => [ "host" ]
}
mutate {
rename => [ "host_name", "host" ]
}
}
}
}
Yes, if you want to move [host][name] to [host] you will have to use a temporary field to store the value.
Note that you have the option of moving it the other way
if ! [host][name] { mutate { rename => { "[host]" => "[host][name]" } } }Thanks, the only thing is that the [host] field is already there.
Could drop the index though, will ponder the benefit of going either way.
Thanks a lot for your help once again.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.