Add_tag from fields than delete source fields

Hello!

I got JSON and there tags element which i want to use to add tags.
I rename it to telegraf_tags because of this topic and want to use them as source for ES tags.

JSON:

{"fields":{"created":1594396144981,"value":"{\"id\": 1, \"type\": \"exit\", \"num\": \"12\", \"other_num\": 2, \"name\": \"Ivan\", \"children\": [{\"name\": \"Julia\", \"age\": 1, \"sex\": true, \"birthtime\": \"09/07/2020 17:38:13\"}], \"birthtime\": \"09/07/2020 17:38:13\", \"created\": 1594316293296}"},"name":"generator_log","tags":{"host":"test.dev.map","path":"/opt/map/agents/generator.log","type":"generator"},"timestamp":1594396144}

logstash config:

filter {
	mutate {
      copy => {
        "[fields][created]" => "created"
        "[fields][value]" => "data"
      }
      rename => ["tags", "telegraf_tags" ]
      add_tag => [ "%{[telegraf_tags][type]}", "%{[telegraf_tags][host]}", "%{[telegraf_tags][path]}" ]
      remove_field => [ "tags", "fields", "telegraf_tags" ]
	}
}

with this logstash config in ES tags looks like this:tags: %{[telegraf_tags][type]}, %{[telegraf_tags][host]}, %{[telegraf_tags][path]}

But if i won't delete field telegraf_tags - it works:
logstash config:

filter {
	mutate {
      copy => {
        "[fields][created]" => "created"
        "[fields][value]" => "data"
      }
      rename => ["tags", "telegraf_tags" ]
      add_tag => [ "%{[telegraf_tags][type]}", "%{[telegraf_tags][host]}", "%{[telegraf_tags][path]}" ]
      remove_field => [ "tags", "fields" ]
	}
}

but i have to delete it and add tags based on it

mutate does things in a fixed order, which is not always the order you want. Try dividing that into four different mutate filters.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.