Add new field based on request field

Viswanath_S · August 17, 2016, 11:01am

Hi,

I am trying to add a new field based on request field value.

if the request field contains "fetchAccountDetails" add a new field called "requestCatagory" with value as "FETCH_ACCOUNT_DATA"

if the request field contains "fetchUserInfo" add a new field called "requestCatagory" with value as "FETCH_USER_DATA"

I am trying to use mutate as below but getting error.

grok {
match => { "message" => "%{COMBINEDAPACHELOG}%{SPACE}%{IPORHOST:appserverIp} %{NONNEGINT:appserverport} %{NONNEGINT:responsetimemillis:int} %{GREEDYDATA:restofmessage}" }
}

mutate {
if [message] =~ "/fetchAccountDetails/"{
add_field =>
{
"requestcategory" => "FETCH_ACCOUNT_DATA"
}
} else if [message] =~ "/fetchUserInfo/"{
add_field =>
{
"requestcategory" => "FETCH_USER_DATA"
}
}else {
add_field =>
{
"requestcategory" => "OTHER"
}
}
}
Please advise how to achieve this.

Thanks,
Viswanath

magnusbaeck · August 17, 2016, 8:15pm

if [message] =~ "/fetchAccountDetails/*"{

That might work, but prefer

if [message] =~ /\/fetchAccountDetails\// {

or this:

if "/fetchAccountDetails/" in [message] {

Also, you can't have conditionals inside filters. You have to wrap the filters.

if ... {
  mutate { ... }
} else {
  mutate { ... }
}

Viswanath_S · August 18, 2016, 6:32am

Thanks. It is working

Topic		Replies	Views
Add new field based on the result of array Logstash	2	396	January 3, 2018
Add new field based on value in event_data Beats winlogbeat	3	797	September 29, 2017
Adding new field based on AND Condition Logstash	4	502	January 14, 2021
Unable to get new field with mutate filter Logstash	5	262	May 11, 2022
Creating a new field based on the input and send it to the output Logstash	2	276	December 12, 2019

Add new field based on request field

Related topics