I have created a mongodb filter, which gets me a number of fields, since the only logs that go through are slow logs I want to know how many slow queries and commands are running through my cluster, so I created a metric using the following:
if ([mongo_component] == "QUERY") or ([mongo_component] == "COMMAND") { metrics { add_field => { "mongo_component" => "%{mongo_component}" } meter => [ "%{mongo_component}" ] add_tag => [ "metric" ] }
I was expecting the add field function to take the field from the original event, if it exists, and add it to the new event, if it doesn't exist to do nothing. Instead it adds a field with the content %{mongo_component} as the field doesn't exist in the new event.
Have I misunderstood the documentation, or are they out of date?
I've also tried to change the syntax in a few ways suggested in IRC, all without any different result. Is there any way to import a field from the starting event to the new event that is created by the metric filter?