Alter filed in logstash filter for Metricbeat

tharu85 · February 1, 2018, 6:09am

I have configure Metricbeat and send system metric to logstash. Sample metricbeat output as below

{
"@timestamp" => 2018-02-01T05:36:14.330Z,
    "system" => {
    "network" => {
          "in" => {
              "bytes" => 535630,
            "dropped" => 0,
             "errors" => 0,
            "packets" => 1217
        },
        "name" => "lo",
         "out" => {
              "bytes" => 535630,
            "dropped" => 0,
            "packets" => 1217,
             "errors" => 0
        }
    }
},
      "beat" => {
    "hostname" => "elasticsearch-two",
        "name" => "elasticsearch-two",
     "version" => "6.1.3"
},
  "@version" => "1",
      "host" => "elasticsearch-two",
 "metricset" => {
       "rtt" => 361,
    "module" => "system",
      "name" => "network"
},
      "tags" => [
    [0] "beats_input_raw_event"
]
}

In logstash I want rename filed name to my own name.
For an example

 "system" => {
    "network" => {
          "in" => {
              "bytes" => 535630,
            "dropped" => 0,
             "errors" => 0,
            "packets" => 1217
        },

I want to rename "in" "bytes" fields as input_bytes, "in" "dropped" as input_droppped and etc.

So how can I define filter in logstash to meet my requirement

magnusbaeck · February 1, 2018, 7:03am

Have you looked into the mutate filter and its rename option? See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html for the syntax used to reference subfields.

system · March 1, 2018, 7:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.