Add_tag

13koushik · September 29, 2016, 5:22pm

Is there any way one could rename a tag. When I'm using add_tag of mutate and assigning it an array, the name of the tag is "tags" by default. I would like to rename it. Could someone help me out?

magnusbaeck · September 29, 2016, 7:17pm

add_tag always adds the string to an array in the field named tags. The name of the tags field isn't configurable.

13koushik · September 29, 2016, 10:02pm

Thanks Magnus. I'm am trying to create a field which takes an array as it's value. I need to give it a specific name. Any suggestion would be really helpful.

magnusbaeck · September 30, 2016, 5:28am

Why not use add_field?

13koushik · September 30, 2016, 12:24pm

Tried the add_field Magnus.

filter {
json {
source => "message"
target => "msg"
}
mutate {
add_field => {
"IP-Address" => "%{[msg][message][IP-Address]}"
"Name" => "HostName"
}
}
This is giving me two fields "IP-Address" and "Name" with their respective values. I'm not sure how to create a field which takes an array as it's value.

magnusbaeck · September 30, 2016, 12:58pm

If you use add_field more than once on the same field you'll get an array. I'm not sure if you can create a one-element array.

13koushik · September 30, 2016, 1:07pm

Thanks a lot Magnus. That worked.

13koushik · October 11, 2016, 2:35pm

Magnus, I have a question. I have logs which as the name of the user in the field "UserName" and logs which has it in "User-Name". Is there a possibility to use OR in an add_field ?
mutate{
add_field => { "msg_relations" => "%{[msg][message][Username OR User-Name]}" }
}

Thanks.

magnusbaeck · October 11, 2016, 2:52pm

Not like that but you can have a conditional:

if [msg][message][Username] {
  mutate {
    add_field => {
      "msg_relations" => "%{[msg][message][Username]}"
    }
  }
} else if [msg][message][User-Name] {
  mutate {
    add_field => {
      "msg_relations" => "%{[msg][message][User-Name]}"
    }
  }
}

13koushik · October 11, 2016, 2:56pm

Got it. Thanks a lot Magnus.