my doc looks like this and I need to access log.level which is a nested field. can someone help me as I need a condition to set a new field called statuscode if log.level=error.

{
"docs": [
{
  "doc": {
    "_index": "filebeat-mycluster",
    "_type": "_doc",
    "_id": "Xdffefepodmlajddwq",
    "_source": {
      "messageinfo": {
        "log.origin": {
          "file.line": 131
        },
        "@timestamp": "2021-11-15T10:07:36.125Z",
        "service.name": "my-server",
        "ecs.version": "1.6.0",
        "log.level": "error",
        "message": "Failed"
      }
      
    }
  }
 ]
}

CodePudding user response：

Simply like this:

{
  "set": {
    "if": "ctx.messageinfo['log.level'] == 'error'",
    "field": "statuscode",
    "value": "whatever"
  }
}

Note that if your log.level field was properly de-dotted, you'd do it like this:

{
  "set": {
    "if": "ctx.messageinfo.log.level == 'error'",
    "field": "statuscode",
    "value": "whatever"
  }
}