- Functionbeat Reference:
- Functionbeat overview
- Quick start: installation and configuration
- Set up and deploy
- Configure
- AWS functions
- General settings
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- Regular expression support
- Instrumentation
- functionbeat.reference.yml
- How to guides
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Common problems
- Deployment to AWS fails with "failed to create the stack"
- Deployment to AWS fails with "resource limit exceeded"
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
A newer version is available. For the latest information, see the
current release documentation.
Extract array
editExtract array
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The extract_array processor populates fields with values read from an array
field. The following example will populate source.ip with the first element of
the my_array field, destination.ip with the second element, and
network.transport with the third.
processors: - extract_array: field: my_array mappings: source.ip: 0 destination.ip: 1 network.transport: 2
The following settings are supported:
-
field - The array field whose elements are to be extracted.
-
mappings - Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
-
ignore_missing -
(Optional) Whether to ignore events where the array field is
missing. The default is
false, which will fail processing of an event if the specified field does not exist. Set it totrueto ignore this condition. -
overwrite_keys -
Whether the target fields specified in the mapping are
overwritten if they already exist. The default is
false, which will fail processing if a target field already exists. -
fail_on_error -
(Optional) If set to
trueand an error happens, changes to the event are reverted, and the original event is returned. If set tofalse, processing continues despite errors. Default istrue. -
omit_empty -
(Optional) Whether empty values are extracted from the array. If
set to
true, instead of the target field being set to an empty value, it is left unset. The empty string (""), an empty array ([]) or an empty object ({}) are considered empty values. Default isfalse.
Was this helpful?
Thank you for your feedback.