- Functionbeat Reference:
- Overview
- Getting Started With Functionbeat
- Setting up and deploying Functionbeat
- Configuring Functionbeat
- Configure functions
- Specify general settings
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure the Kibana endpoint
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- functionbeat.reference.yml
- Exported fields
- Monitoring Functionbeat
- Securing Functionbeat
- Troubleshooting
- Get help
- Debug
- Common problems
- Deployment to AWS fails with "failed to create the stack"
- Deployment to AWS fails with "resource limit exceeded"
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
A newer version is available. For the latest information, see the
current release documentation.
Extract array
editExtract array
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The extract_array processor populates fields with values read from an array
field. The following example will populate source.ip with the first element of
the my_array field, destination.ip with the second element, and
network.transport with the third.
processors: - extract_array: field: my_array mappings: source.ip: 0 destination.ip: 1 network.transport: 2
The following settings are supported:
-
field - The array field whose elements are to be extracted.
-
mappings - Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
-
ignore_missing -
(Optional) Whether to ignore events where the array field is
missing. The default is
false, which will fail processing of an event if the specified field does not exist. Set it totrueto ignore this condition. -
overwrite_keys -
Whether the target fields specified in the mapping are
overwritten if they already exist. The default is
false, which will fail processing if a target field already exists. -
fail_on_error -
(Optional) If set to
trueand an error happens, changes to the event are reverted, and the original event is returned. If set tofalse, processing continues despite errors. Default istrue. -
omit_empty -
(Optional) Whether empty values are extracted from the array. If
set to
true, instead of the target field being set to an empty value, it is left unset. The empty string (""), an empty array ([]) or an empty object ({}) are considered empty values. Default isfalse.
Was this helpful?
Thank you for your feedback.