Add or update field in filter or elsewhere

Elastic Stack Logstash
1

based on [@metadata][category] field , log need to uploaded to different file location. if message have some pattern then need to update [@metadata][category] , I am doing in filter

filter {
if [message] =~ ".regextpattern."
{ grok{ add_field => {"[@metadata][category]" => "file1"} } }
else
{ grok{ add_field => {"[@metadata][category]" => "file2"} } }

}

so it go desired output. how to update this field at filter or input. at input [@metadata][category] can be added as field.

I tried with grok but previous value "[@metadata][category]" => "file2" and pattern matched and it make "[@metadata][category]" => ["file2" , file1" ]
and output plugin not working as desire

if [@metadata][category] == "file1" {
file{
path => "/tmp/file3.log"
}
}else {
file{
path => "/tmp/file4.log"
}
}

then I try with mutate filter with update setting but it need [@metadata][category] to present.

filter {
if [message] =~ ".regextpattern."
{ mutate { update => { "[@metadata][category]" => "file1" }
} }

}

Can there be a better approach which sure shot update field means if it not present then add else overwrite it.

I can we do in filter or there is better place. Need to also consider performance.

2

Can there be a better approach which sure shot update field means if it not present then add else overwrite it.

How about the mutate filter's replace option?

3

that is great... Can do something with grok filter?

4

Maybe. If the string you want to store in [@metadata][category] can be extracted from another field then grok is a good option.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.