my doc looks like this and I need to access log.level which is a nested field. can someone help me as I need a condition to set a new field called statuscode if log.level=error.
{
"docs": [
{
"doc": {
"_index": "filebeat-mycluster",
"_type": "_doc",
"_id": "Xdffefepodmlajddwq",
"_source": {
"messageinfo": {
"log.origin": {
"file.line": 131
},
"@timestamp": "2021-11-15T10:07:36.125Z",
"service.name": "my-server",
"ecs.version": "1.6.0",
"log.level": "error",
"message": "Failed"
}
}
}
]
}
Simply like this:
{
"set": {
"if": "ctx.messageinfo['log.level'] == 'error'",
"field": "statuscode",
"value": "whatever"
}
}
Note that if your log.level field was properly de-dotted, you'd do it like this:
{
"set": {
"if": "ctx.messageinfo.log.level == 'error'",
"field": "statuscode",
"value": "whatever"
}
}