Add_field and then gsub in one pass is not supported?

Elastic Stack Logstash
1

Logstash version 2.2.4 on ubuntu 14.04

I have an existing @timestamp field in some documents, with values like "2016-09-29T05:25:52.000Z". I would like to extract just the "day" portion of the timestamp and store it in a new field called day, e.g. "2016-09-29". I would like to do this in one pass.

If I try this:

filter {
   mutate {
      add_field => { "day" => "%{@timestamp}"}
      convert => { "day" => "string" }
      gsub => [ "day", "T.*", "" ]
   }
}

Then the output is "day" => "2016-09-29T05:25:52.000Z". The add_field and convert worked, but the gsub did not work.

However if I do this in two passes, i.e. run this:

filter {
   mutate {
      add_field => { "day" => "%{@timestamp}"}
      convert => { "day" => "string" }
   }
}

And then when all documents updated, run this:

filter {
   mutate {
      gsub => [ "day", "T.*", "" ]
   }
}

Then it works: "day" => "2016-09-29"

Is there some kind of optimization going on that tries to execute things in parallel? Perhaps it is trying to do the gsub before the add_field and convert is finished? I'm no logstash expert but I would think it would behave more or less like an imperative, sequentially executed script.

2

nevermind, this works:

filter {
        mutate {
          add_field => { "day" => "%{@timestamp}"}
        }
        mutate{
          convert => { "day" => "string" }
        }
        mutate {
          gsub => [ "day", "T.*", "" ]
        }
}

I guess it does do operations inside mutate in parallel, but mutate blocks in sequence

3

I guess it does do operations inside mutate in parallel

Well, not in parallel but also not in the order listed in the configuration file. If you care about the order you need to use separate filters.