Set

Mutate Elastic Compatible

Synopsis

Sets a field and associates it with a specified value.

Schema

set:
  - field: <ident>
  - copy_from: <ident>
  - description: <text>
  - if: <script>
  - ignore_empty_value: <boolean>
  - ignore_failure: <boolean>
  - media_type: <enum>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - override: <boolean>
  - tag: <string>
  - value: <any>

Configuration

Field	Required	Default	Description
`field`	Y	-	Field to update
`copy_from`	N	-	Field whose value will be copied to `field`. Cannot be used if `value` is specified
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_empty_value`	N	`false`	If `true`, quietly exit if specified field does not exist or its value is `null`/empty
`ignore_failure`	N	`false`	See Handling Failures
`media_type`	N	`application/json`	For encoding `value`. Valid options: `application/json`, `text/plain`, or `application/x-www-form-urlencoded`
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`override`	N	`true`	If `false`, do not update fields that already have a non-null value
`tag`	N	-	Identifier
`value`	N	-	Value to set. Cannot be used if `copy_from` is specified

Details

The processor can either set a literal value or copy a value from another field. If the field already exists, its value will be replaced unless override is set to false.

note

Either value or copy_from must be specified, but not both. When using copy_from, the source field must exist unless ignore_empty_value is set to true.

warning

When using templates, ensure that they reference valid fields as missing fields will cause the processor to fail unless ignore_empty_value is enabled.

Examples

Basic

Setting a simple numeric value...	`{ "data": {} }` `set: - field: metrics.packets - value: 150`
creates a new field with that value:	`{ "data": { "metrics": { "packets": 150 } } }`

Templates

Values can reference other fields through templates...

{
  "checkpoint": {
    "product": "ExampleProduct"
  }
}

set:
  - field: observer.product
  - value: "{{checkpoint.product}}"

which get resolved at run time:

{
  "checkpoint": {
    "product": "ExampleProduct"
  },
  "observer": {
    "product": "ExampleProduct"
  }
}

Array Templates

Set arrays with mixed values...

{
  "event": {
    "type": "login",
    "service": "ssh"
  }
}

set:
  - field: event.category
    value: 
      - "{{event.service}}"
      - authentication
      - "{{event.type}}"

combining static and dynamic values:

{
  "event": {
    "type": "login",
    "service": "ssh",
    "category": ["ssh", "authentication", "login"]
  }
}

Map Templates

Set maps with template values...

{
  "source": {
    "service": "webserver",
    "version": "2.4"
  }
}

set:
  - field: service.details
    value:
      name: "{{source.service}}"
      type: "web"
      version: "{{source.version}}"

creating structured data:

{
  "service": {
    "details": {
      "name": "webserver",
      "type": "web",
      "version": "2.4"
    }
  }
}

Copying

Copying a value from one field to another...	`{ "source": { "packets": 10 } }` `set: - field: metrics.packets - copy_from: source.packets`
duplicates the value:	`{ "source": { "packets": 10 }, "metrics": { "packets": 10 } }`

Existing Values

When existing values are not overridden...	`{ "checkpoint": { "title": "NoTitle" } }` `set: - field: checkpoint.title - value: "NewTitle" - override: false`
non-null values are preserved:	`{ "checkpoint": { "title": "NoTitle" } }`

Synopsis​

Schema​

Configuration​

Details​

Examples​

Basic​

Templates​

Array Templates​

Map Templates​

Copying​

Existing Values​