Add_tag

Elastic Stack Logstash
1

Is there any way one could rename a tag. When I'm using add_tag of mutate and assigning it an array, the name of the tag is "tags" by default. I would like to rename it. Could someone help me out?

2

add_tag always adds the string to an array in the field named tags. The name of the tags field isn't configurable.

3

Thanks Magnus. I'm am trying to create a field which takes an array as it's value. I need to give it a specific name. Any suggestion would be really helpful.

4

Why not use add_field?

5

Tried the add_field Magnus.

filter {
json {
source => "message"
target => "msg"
}
mutate {
add_field => {
"IP-Address" => "%{[msg][message][IP-Address]}"
"Name" => "HostName"
}
}
This is giving me two fields "IP-Address" and "Name" with their respective values. I'm not sure how to create a field which takes an array as it's value.

6

If you use add_field more than once on the same field you'll get an array. I'm not sure if you can create a one-element array.

1 Like
7

Thanks a lot Magnus. That worked.

8

Magnus, I have a question. I have logs which as the name of the user in the field "UserName" and logs which has it in "User-Name". Is there a possibility to use OR in an add_field ?
mutate{
add_field => { "msg_relations" => "%{[msg][message][Username OR User-Name]}" }
}

Thanks.

9

Not like that but you can have a conditional:

if [msg][message][Username] {
  mutate {
    add_field => {
      "msg_relations" => "%{[msg][message][Username]}"
    }
  }
} else if [msg][message][User-Name] {
  mutate {
    add_field => {
      "msg_relations" => "%{[msg][message][User-Name]}"
    }
  }
}
10

Got it. Thanks a lot Magnus.