Add_field and copy data

Badger · November 30, 2017, 5:29pm

If you input

{ "Foo": 1, "Bar":"2" }

into logstash with this config

input { stdin { } }
output { stdout { codec => rubydebug } }

filter {
  json {
    source => "message"
    target => "event_data"
  }
  mutate {
  add_field => {"event_data.Suspicious" => "Suspicious Activity"}
  }
  mutate {
  copy => {"[event_data][Foo]" => "event_data.withdot" }
  }
  mutate {
  copy => {"[event_data][Foo]" => "[event_data][withbracket]" }
  }
  mutate {
  }
}

You will see the difference.

{
               "@timestamp" => 2017-11-30T17:25:46.727Z,
                 "@version" => "1",
                     "host" => "[...]",
               "event_data" => {
        "withbracket" => 1,
                "Bar" => "2",
                "Foo" => 1
    },
                  "message" => "{ \"Foo\": 1, \"Bar\":\"2\" }",
    "event_data.Suspicious" => "Suspicious Activity",
       "event_data.withdot" => 1
}

Topic		Replies	Views
Logstash Syntax :: Copy String from One Field into a New Field Logstash	3	1418	July 16, 2020
Mutate -> Copy is not working as expected Logstash	2	406	June 13, 2023
Issues procesing fields with mutate Logstash	3	332	August 21, 2019
Copy a field without making it a hash value? Logstash	7	2852	July 6, 2017
Add_field never replace my field Logstash	4	398	July 13, 2018

Add_field and copy data

Related topics