- Journalbeat Reference for 6.5-7.15:
- Journalbeat overview
- Quick start: installation and configuration
- Set up and run
- Configure
- Inputs
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_csv_fields
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- script
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- journalbeat.reference.yml
- How to guides
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Common problems
- Journalbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
Starting in version 7.16, this experimental functionality has been removed. You
should use the journald input in Filebeat instead.
Extract array
editExtract array
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The extract_array
processor populates fields with values read from an array
field. The following example will populate source.ip
with the first element of
the my_array
field, destination.ip
with the second element, and
network.transport
with the third.
processors: - extract_array: field: my_array mappings: source.ip: 0 destination.ip: 1 network.transport: 2
The following settings are supported:
-
field
- The array field whose elements are to be extracted.
-
mappings
- Maps each field name to an array index. Use 0 for the first element in the array. Multiple fields can be mapped to the same array element.
-
ignore_missing
-
(Optional) Whether to ignore events where the array field is
missing. The default is
false
, which will fail processing of an event if the specified field does not exist. Set it totrue
to ignore this condition. -
overwrite_keys
-
Whether the target fields specified in the mapping are
overwritten if they already exist. The default is
false
, which will fail processing if a target field already exists. -
fail_on_error
-
(Optional) If set to
true
and an error happens, changes to the event are reverted, and the original event is returned. If set tofalse
, processing continues despite errors. Default istrue
. -
omit_empty
-
(Optional) Whether empty values are extracted from the array. If
set to
true
, instead of the target field being set to an empty value, it is left unset. The empty string (""
), an empty array ([]
) or an empty object ({}
) are considered empty values. Default isfalse
.
Was this helpful?
Thank you for your feedback.