Merge function does not append, it's just overwriting for this event field - "event.idm.read_only_ud

Question

Hi

I'm trying to append a new label into the "event.idm.read_only_udm.target.resource.attribute.labels" field in the event.

But when I try => creating a new label and merging it with the above event overwrites the values itself, dont append to it.

Below is the code snippet:

filter {

json {

source => "message"

array_function => "split_columns"

}

grok {

match => {

"textPayload" => [

'%{TIMESTAMP_ISO8601:istio_timestamp}\\] \\\\"%{WORD:method} (?:%{URIPATH:uri_path}(?:%{URIPARAM:uri_param})?|%{DATA}) %{DATA:protocol}" %{NUMBER:status_code} %{DATA:response_flags} %{NUMBER:bytes_received} %{NUMBER:bytes_sent} %{NUMBER:duration} (?:%{NUMBER:upstream_service_time}|%{DATA:tcp_service_time}) "%{DATA:forwarded_for}" "%{DATA:user_agent}" "%{DATA:request_id}" "%{DATA:authority}" "%{DATA:upstream_service}"'

]

}

mutate {

replace => {

"_labels.value" => "%{authority}"

"_labels.key" => "authority"

}

mutate {

merge => {

"event.idm.read_only_udm.target.resource.attribute.labels" => "_labels"

}

mutate {

merge => {

"@output" => "event"

}

statedump {}

}

deeshu · Accepted Answer

Instead of "_labels.value" try "_labels.value.string_value". Instead of "event.idm.read_only_udm.target.resource.attribute.labels" try "event.idm.read_only_udm.additional.fields".

citreno · Answer

Hi,Are you trying to use an extension? if so a parser extension will overwrite any repeated field, I'd recommend to pick a repeated field that is not currently in use. Unfortunately that's the only way, unless you modify the underlying parser.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded