Add new field based on request field

Viswanath_S · August 17, 2016, 11:01am

Hi,

I am trying to add a new field based on request field value.

if the request field contains "fetchAccountDetails" add a new field called "requestCatagory" with value as "FETCH_ACCOUNT_DATA"

if the request field contains "fetchUserInfo" add a new field called "requestCatagory" with value as "FETCH_USER_DATA"

I am trying to use mutate as below but getting error.

grok {
match => { "message" => "%{COMBINEDAPACHELOG}%{SPACE}%{IPORHOST:appserverIp} %{NONNEGINT:appserverport} %{NONNEGINT:responsetimemillis:int} %{GREEDYDATA:restofmessage}" }
}

mutate {
if [message] =~ "/fetchAccountDetails/"{
add_field =>
{
"requestcategory" => "FETCH_ACCOUNT_DATA"
}
} else if [message] =~ "/fetchUserInfo/"{
add_field =>
{
"requestcategory" => "FETCH_USER_DATA"
}
}else {
add_field =>
{
"requestcategory" => "OTHER"
}
}
}
Please advise how to achieve this.

Thanks,
Viswanath

magnusbaeck · August 17, 2016, 8:15pm

if [message] =~ "/fetchAccountDetails/*"{

That might work, but prefer

if [message] =~ /\/fetchAccountDetails\// {

or this:

if "/fetchAccountDetails/" in [message] {

Also, you can't have conditionals inside filters. You have to wrap the filters.

if ... {
  mutate { ... }
} else {
  mutate { ... }
}

Viswanath_S · August 18, 2016, 6:32am

Thanks. It is working