processor-extract_array.asciidoc

Extract array

extract_array

experimental[]

The extract_array processor populates fields with values read from an array field.

Example

The following example populates source.ip with the first element of the my_array field, destination.ip with the second element, and network.transport with the third.

  - extract_array:
      field: my_array
      mappings:
        source.ip: 0
        destination.ip: 1
        network.transport: 2

Configuration settings

processors.asciidoc :works-with-fields!:

Name	Required	Default	Description
field	Yes		The array field whose elements are to be extracted.
mappings	Yes		Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
ignore_missing	No	false	Whether to ignore events where the array field is missing. If false, processing of an event fails if the specified field does not exist.
overwrite_keys	No	false	Whether to overwrite target fields specified in the mapping if the fields already exist. If false, processing fails if a target field already exists.
fail_on_error	No	true	If true and an error occurs, any changes to the event are reverted, and the original event is returned. If false, processing continues despite errors.
omit_empty	No	false	Whether empty values are extracted from the array. If true, instead of the target field being set to an empty value, it is left unset. The empty string (""), an empty array ([]), or an empty object ({}) are considered empty values.