| title | description |
|---|---|
Field Path Notation |
Vector's field path notation allows you to reference field values with a simple string syntax. |
Throughout Vector's configuration you'll notice that certain options take field
paths as values, such as the
rename_fields transform. In order to
referenxe nested, or array, values you can use Vector's field path notation.
This notation is not anything special, it simply uses . and [<index>] to
access nested and array values, respectively.
For this example let's use the following log event:
{
"timestamp": "2020-02-14T01:22:23.223Z",
"application_id": 1,
"message": "Hello world",
"field.with.dot": "value",
"ec2": {
"instance_id": "abcd1234",
"tags": ["tag1: value1", "tag2: value1"]
}
}We can access the values like so:
"application_id"- Accesses the root levelapplication_idfield."ec2.instance_id"- Accesses the childinstance_idfield."ec2.tags[0]"- Accesses the first value in the childtagsfield.
Root-level values can be access by simply supplying the name of the field as shown in the example above.
field_name
Nested values can be accessed by separating ancestor fields with the .
character:
grandparent.parent.child
Array values can be access with the [<index>] syntax:
field_name[0]
Accesses the first value since it has an index of 0.
parent.child[0]
Accesses the first value of the nested child field.
The special characters ., [, and ] can be escaped with a \:
field\.with\.dots
The above name will be treated literally.
The \ character, if used literally, must be escaped with a \ as well.