Any alternatives to if and mutate?

anhlqn · April 21, 2016, 11:04pm

Hi all,

I have a bunch of if + mutate that check dst-port field and then update the protocol field to a correct protocol name ( for custom destination port that cannot be recognized by nProbe)

filter {
if [dst-port] == 5601 {
		mutate {
			update => { "protocol" => "Kibana" }
		}
	}

if [dst-port] == 9200 {
		mutate {
			update => { "protocol" => "Elasticsearch" }
		}
	}	
}

Problem is that with about 10 if blocks, Logstash throughput significantly drops. Because netflow uses indexing time as the timestamp, throughput drop is not acceptable. I've looked at the mutate filter itself, but is there any better way to accomplish such check and rename operation?

Thanks

magnusbaeck · April 22, 2016, 5:58am

The translate filter?

anhlqn · April 22, 2016, 6:35am

I'll try the translate filter. I forgot to use if + else if, I guess it would somewhat reduce the performance impact

Topic		Replies	Views
Expensive if statement in Logstash config Logstash	1	338	July 6, 2017
Filter if condition in Logstash Logstash	8	19413	July 24, 2019
Conditional mutate not working Logstash	3	1311	October 24, 2017
IF with Mutate Filter Logstash	3	895	April 14, 2018
Some problem of if and mutate in logstash filter Logstash	7	457	June 5, 2018

Any alternatives to if and mutate?

Related topics