Skip to main content

Hi 

I'm trying to append a new label into the "event.idm.read_only_udm.target.resource.attribute.labels" field in the event.

But when I try =>  creating a new label and merging it with the above event overwrites the values itself, dont append to it.

Below is the code snippet:


filter {
json {
source => "message"
array_function => "split_columns"
}
 
grok {
match => {
"textPayload" => [
'%{TIMESTAMP_ISO8601:istio_timestamp}\\] \\\\"%{WORD:method} (?:%{URIPATH:uri_path}(?:%{URIPARAM:uri_param})?|%{DATA}) %{DATA:protocol}" %{NUMBER:status_code} %{DATA:response_flags} %{NUMBER:bytes_received} %{NUMBER:bytes_sent} %{NUMBER:duration} (?:%{NUMBER:upstream_service_time}|%{DATA:tcp_service_time}) "%{DATA:forwarded_for}" "%{DATA:user_agent}" "%{DATA:request_id}" "%{DATA:authority}" "%{DATA:upstream_service}"'
]
}
}

mutate {
replace => {
"_labels.value" => "%{authority}"
"_labels.key" => "authority"
}
}
 
mutate {
merge => {
"event.idm.read_only_udm.target.resource.attribute.labels" => "_labels"
}
}

mutate {
merge => {
"@output" => "event"
}
}

statedump {}
}






If I'm not mistaken merge with a string field won't append. I think everything else is fine it's just not a function of merge to do that there?

Hi,


Are you trying to use an extension? if so a parser extension will overwrite any repeated field, I'd recommend to pick a repeated field that is not currently in use. Unfortunately that's the only way, unless you modify the underlying parser.

Instead of "_labels.value" try "_labels.value.string_value". 

Instead of "event.idm.read_only_udm.target.resource.attribute.labels" try 

"event.idm.read_only_udm.additional.fields". 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.