Add_field doesn't work

peterch · September 24, 2018, 3:26am

Dear all,

I install metric beat on a window server to receive log. I tried to combine some of the field using add_field but it cannot capture the old field value. Any idea?

if "metricbeat" in [tags]{
mutate {
add_field => {
"process.summary" => "%{system.process.username} %{system.process.name} %{system.process.cmdline}"
}
}
}

result

process.summary %{system.process.username} %{system.process.name} %{system.process.cmdline}

Thanks

Christian_Dahlqvist · September 24, 2018, 6:21am

I think you are referencing nested fields incorrectly. This should probably be:

"process.summary" => "%{[system][process][username]} %{[system][process][name]} %{[system][process][cmdline]}"

peterch · September 24, 2018, 6:35am

But I really have field name which are "system.process.username", "system.process.name", "system.process.cmdline". And I want to combine these field so I use add_field

Christian_Dahlqvist · September 24, 2018, 6:38am

The fact that the string contains your pattern typically indicates that the field you have specified does not exist or is incorrectly specified. Output the event using a stdout plugin with a rubydebug codec to troubleshoot this. Then you will see exactly what your event looks like.

peterch · September 24, 2018, 6:54am

I tried to use rubydebug codec as output but still fail

if "metricbeat" in [tags]{
stdout { codec => rubydebug }
elasticsearch {
hosts => ["1.1.1.1:9200","2.2.2.2:9200"]
manage_template => false
index => "metricbeat-%{+YYYY.MM}"
}
}

Christian_Dahlqvist · September 24, 2018, 6:58am

What does the output to stdout look like?

peterch · September 24, 2018, 7:02am

Here's the sample

Christian_Dahlqvist · September 24, 2018, 7:02am

That is not the output from the stdout plugin. What does a full event look like when you look at it in Kibana?

peterch · September 24, 2018, 7:05am

Do you mean this one?

Capture2

Christian_Dahlqvist · September 24, 2018, 7:07am

As you can see your fields are nested. Did you even try the example I provided earlier?

peterch · September 26, 2018, 6:45am

Yes, I have tried but the result still same. May I know if any configuration wrong?

Filter

if "metricbeat" in [tags]{
mutate {
add_field => {
"process.summary" => "{system.process.username} {system.process.name}"
}
}
}

Output

else if "metricbeat" in [tags]{
stdout { codec => rubydebug }
elasticsearch {
hosts => ["192.168.6.27:9200","192.168.6.28:9200"]
manage_template => false
index => "metricbeat-%{+YYYY.MM}"
}
}

Result

Json Output

Christian_Dahlqvist · September 26, 2018, 6:54am

That is wrong as it is missing % ahead of the curly braces and also use the dot notation. Did you try this:

"process.summary" => "%{[system][process][username]} %{[system][process][name]} %{[system][process][cmdline]}"

If you did, please show us the output.

peterch · September 26, 2018, 7:39am

I tried to change configuration and it works now. Thanks a lot!!!

system · October 24, 2018, 7:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.