Add_field never replace my field

Elastic Stack Logstash
1

Hello

I would to like to know why my "add_field" option doesn"t replace my "NEWFIELD" field ? :

  if ([ID2] == "000003")
  {
    grok
    {
      match => { "DESCRIPTION" => [ "%{DATA:TEST}/%{WORD:NOM_BATCH}-%{BASE16NUM:DATE_BATCH}-%{GREEDYDATA:RESTE}" ] }
    }
    mutate 
    {
      copy => { "DATE_BATCH" => "ESSAI" }
      #DATE_BATCH is correctly copied because ESSAI = DATE_BATCH
    }
  }
  else
  {
    mutate 
    {
      add_field => { "NEWFIELD" => "%{[ESSAI]}" }
    }
  }

When I go to see my "NEWFIELD" field in Kibana :

image
... NEWFIELD = %{[ESSAI]}

Why it isn't replaced ??
Thx :smiley:

2

Why do you have %{[ESSAI]} with the square brackets? That may be messing it up. Try removing the square brackets so it looks like %{ESSAI}. It should look like this:

mutate 
{
  add_field =>  "NEWFIELD" => "%{ESSAI}" 
}
3

I tried and .. same result :

image

rubydebug of one event :

"NEWFIELD" => "%{ESSAI}"

4

If you get %{ESSAI} it means the ESSAI field wasn't set.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.