Append a string to a field after mutate convert filter

Elastic Stack Logstash
1

Hi I have the following log pattern

[19/Jun/2023:11:27:35 +0530] | 503 | 1188 ms | 299 B | 172.31.40.179 | - | - | - | "GET /3dcomment/monitoring/healthcheck HTTP/1.1"

I have applied grok to fetch the bytes field i.e 299 B
I am applying mutate convert filter to convert it to int. But after converting it to int i am losing the 'B' part of the value. is there any way i can add it to the field while keeping it in int?
I have converted it to int because if it is a string i am not able to apply appropriate filters on it while creating the visualizations
Here is my logstash pipeline filter module

filter {
  if [3dxp_tag] == "3dxp_apache"
  {
      grok {
        match => { "message" => ["\[%{HTTPDATE:date}\] \| %{NUMBER:response} \| (?<duration>%{NUMBER} %{WORD}) \| (?<bytes>%{NUMBER} %{WORD}|%{DATA}) \| %{IP:remoteip} \| (%{IP:clientip}|%{DATA:clientip}) \| (%{WORD:token}|%{DATA:token}) \| (?<tag1>%{NUMBER} %{WORD}|%{DATA}) \| \"(?<method>%{WORD}) (?<url>%{URIPATHPARAM}) (?:HTTP/%{NUMBER:http_version})\""] }
    }
      mutate {
        convert => {
          "bytes" => "int"
        }
      }
 }
2

I don't think you'll be able to keep the 'B' on an int type field. But if you need both you could create another field using a copy filter so you can use the int field for your visualizations as well as the original string.

1 Like
3

As Carly said, you can have:

  • string: "299 B", no numeric calculation or play with runtime field in ES
  • int:299, mathematic calculation like min, max, avg
  • int:299, and the extra string field "unit": "B"
4

sure, the 3rd option seems good. Thanks for the quick response as always :+1:

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.