Add or update field in filter or elsewhere

based on [@metadata][category] field , log need to uploaded to different file location. if message have some pattern then need to update [@metadata][category] , I am doing in filter

filter {
if [message] =~ ".regextpattern."
{ grok{ add_field => {"[@metadata][category]" => "file1"} } }
else
{ grok{ add_field => {"[@metadata][category]" => "file2"} } }

}

so it go desired output. how to update this field at filter or input. at input [@metadata][category] can be added as field.

I tried with grok but previous value "[@metadata][category]" => "file2" and pattern matched and it make "[@metadata][category]" => ["file2" , file1" ]
and output plugin not working as desire

if [@metadata][category] == "file1" {
file{
path => "/tmp/file3.log"
}
}else {
file{
path => "/tmp/file4.log"
}
}

then I try with mutate filter with update setting but it need [@metadata][category] to present.

filter {
if [message] =~ ".regextpattern."
{ mutate { update => { "[@metadata][category]" => "file1" }
} }

}

Can there be a better approach which sure shot update field means if it not present then add else overwrite it.

I can we do in filter or there is better place. Need to also consider performance.

Can there be a better approach which sure shot update field means if it not present then add else overwrite it.

How about the mutate filter's replace option?

that is great... Can do something with grok filter?

Maybe. If the string you want to store in [@metadata][category] can be extracted from another field then grok is a good option.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.