Skip to main content
Version: 3.5.2

Action: add

Add new fields to an event

Example

Input:

{"one":1}

Pipe Language Snippet:

add:
output-fields:
- two: 2
- three: 3

Output:

{"one":1,"two":2.0,"three":3.0}

Field Summary

Field NameTypeDescriptionDefault
conditionexpressionOnly run this action if the condition the specified condition is met-
fieldsarray of (field,value) pairsFields where values are stored-
jsonpath-fieldsarray of (field,query) pairsFields to add to the event, where the values are the result of a JSONPath query For the query syntax see: https://www.ietf.org/archive/id/draft-ietf-jsonpath-base-12.html-
templatetemplated textTemplate substitution, for more complex output-
template-filepathTemplate substitution from provided file, for more complex output-
template-result-fieldfieldA way of creating arbitrary documents for passing to output-
overwriteboolForce values in already-existing fields to be replacedfalse

Fields

condition

Type: expression

Only run this action if the condition the specified condition is met

fields

Type: array of (field,value) pairs
Alias: output-fields

Fields where values are stored

Example: Plain values

Input:

{}

Pipe Language Snippet:

add:
output-fields:
- one: 1
- two: 2
- three: 3

Output:

{"one":1.0,"two":2.0,"three":3.0}

Example: Complex values

Input:

{}

Pipe Language Snippet:

add:
output-fields:
- one: 1
- two: 2
- three-four: [3,4]
- five-six:
five: 5
six: 6

Output:

{"one":1.0,"two":2.0,"three-four":[3.0,4.0],"five-six":{"five":5.0,"six":6.0}}

Example: Field expansions

Input:

{"one":1,"two":2}

Pipe Language Snippet:

add:
output-fields:
- another-one: ${one}
- another-two: yet another ${two}

Output:

{"one":1,"two":2,"another-one":"1","another-two":"yet another 2"}

Example: Field expansions, with nested fields

Input:

{"one-two":[1,2],"three-four":{"three":3,"four":4.0}}

Pipe Language Snippet:

add:
output-fields:
- one: ${one-two.0}
- two: ${one-two.1}
- three: ${three-four.three}
- four: ${three-four.four}

Output:

{"one-two":[1,2],"three-four":{"three":3,"four":4.0},"one":"1","two":"2","three":"3","four":"4.0"}

Example: Field names can contain field references

Input:

{"one":1}

Pipe Language Snippet:

add:
output-fields:
- another-${one}: ${one}

Output:

{"one":1,"another-1":"1"}

jsonpath-fields

Type: array of (field,query) pairs

Fields to add to the event, where the values are the result of a JSONPath query For the query syntax see: https://www.ietf.org/archive/id/draft-ietf-jsonpath-base-12.html

template

Type: templated text

Template substitution, for more complex output

The template must result in a valid JSON document, which will be merged with the input event

Example

Input:

{"one":1}

Pipe Language Snippet:

add:
template: |
{
"another-one": ${one},
"tags": ["yoyo",${one}]
}
output: '{"one":1,"another-one":1,"tags":["yoyo",1]}'

template-file

Type: path

Template substitution from provided file, for more complex output

Like template, except using a file. Easier to edit well-formed JSON templates

Example

File: some-file

{
"another-one": ${one},
"tags": ["yoyo",${one}]
}

Input:

{"one":1}

Pipe Language Snippet:

add:
template-file: some-file

Output:

{"one":1,"another-one":1,"tags":["yoyo",1]}

template-result-field

Type: field

A way of creating arbitrary documents for passing to output

Only applies to template or template-file. The template does not have to be valid JSON. (In this example, it is YAML)

Example

Input:

{"one":1,"two":2}

Pipe Language Snippet:

add:
template-result-field: results
template: |
results:
one: ${one}
two: ${two}

Output:

{"one":1,"two":2,"results":"results:\n    one: 1\n    two: 2\n"}

overwrite

Type: bool

Default: false

Force values in already-existing fields to be replaced

Example

Input:

{"one":1}

Pipe Language Snippet:

add:
overwrite: true
output-fields:
- one: 0
- two: 1

Output:

{"one":0,"two":1.0}