Add_tag from fields than delete source fields

dikkini · July 10, 2020, 5:02pm

Hello!

I got JSON and there tags element which i want to use to add tags.
I rename it to telegraf_tags because of this topic and want to use them as source for ES tags.

JSON:

{"fields":{"created":1594396144981,"value":"{\"id\": 1, \"type\": \"exit\", \"num\": \"12\", \"other_num\": 2, \"name\": \"Ivan\", \"children\": [{\"name\": \"Julia\", \"age\": 1, \"sex\": true, \"birthtime\": \"09/07/2020 17:38:13\"}], \"birthtime\": \"09/07/2020 17:38:13\", \"created\": 1594316293296}"},"name":"generator_log","tags":{"host":"test.dev.map","path":"/opt/map/agents/generator.log","type":"generator"},"timestamp":1594396144}

logstash config:

filter {
	mutate {
      copy => {
        "[fields][created]" => "created"
        "[fields][value]" => "data"
      }
      rename => ["tags", "telegraf_tags" ]
      add_tag => [ "%{[telegraf_tags][type]}", "%{[telegraf_tags][host]}", "%{[telegraf_tags][path]}" ]
      remove_field => [ "tags", "fields", "telegraf_tags" ]
	}
}

with this logstash config in ES tags looks like this:tags: %{[telegraf_tags][type]}, %{[telegraf_tags][host]}, %{[telegraf_tags][path]}

But if i won't delete field telegraf_tags - it works:
logstash config:

filter {
	mutate {
      copy => {
        "[fields][created]" => "created"
        "[fields][value]" => "data"
      }
      rename => ["tags", "telegraf_tags" ]
      add_tag => [ "%{[telegraf_tags][type]}", "%{[telegraf_tags][host]}", "%{[telegraf_tags][path]}" ]
      remove_field => [ "tags", "fields" ]
	}
}

but i have to delete it and add tags based on it

Badger · July 10, 2020, 5:43pm

mutate does things in a fixed order, which is not always the order you want. Try dividing that into four different mutate filters.

system · August 7, 2020, 5:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.