The pattern for additional field arrays is a little bit different then using string_value - it uses additional_field.value.list_value. Below is an example with an array of integers. That said perhaps it's just better to merge the IPs in noun.ip and that could meet your purpose.
filter {
json {
source => "message"
array_function => "split_columns"
}
mutate {
replace => {
"additional_field.key" => "hits"
"udm.metadata.event_type" => "GENERIC_EVENT"
}
}
for hit in hits {
mutate {
replace => {
"value.string_value" => "%{hit}"
}
}
mutate {
merge => {
"list_value.values" => "value"
}
}
mutate {
remove_field => ["value"]
}
}
mutate {
rename =>{
"list_value" => "additional_field.value.list_value"
}
}
mutate {
merge => {
"udm.additional.fields" => "additional_field"
}
}
mutate {
rename => {
"udm" => "event.idm.read_only_udm"
}
}
mutate {
merge => {
"@output" => "event"
}
}
}
LinkedIn
Twitter
