Assigning value to add_field new field

zoplex · July 26, 2016, 5:44pm

Hi,

I get the field defined in filebeat.yml file as:

paths:
- /var/logs/mylog.log
document_type: LOG1
fields:
mytype: FORMAT1

,defining different format spec for each of the log files in the overall group of log files ...

Now I need to take this in the logstash filter and use it for new variables / fields; I can reference it inside the logstash filter as:
...
[fields][mytype] - I can check it inside the 'if' statements, etc ..

How do I assign the value of that file to the new filed created in the mutate section using add_field:
add_field => { "NEWFIELD", [fields][mytype] } - this did not work - what is the correct syntax for this ?

I also tried referencing it with %{[field][mytype]} - but that did not work either:
add_field => { "NEWFIELD", %{[fields][mytype]} }

Thanks in advance!

zoplex · July 26, 2016, 5:52pm

I mean - "How do I assign the value of that field to the new field created in the mutate" - sorry for the typo

magnusbaeck · July 26, 2016, 7:27pm

add_field => { "NEWFIELD", "%{[fields][mytype]}" }

See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references for more examples.

You might also want to use a mutate filter and its rename option if you want to move a field. With add_field you'll end up with two fields with the same contents.

Another option is to configure Filebeat to store the extra fields at the root of the event rather than as subfields of fields. See Filebeat's fields_under_root option.

zoplex · July 27, 2016, 12:16am

I was missing outside double quotes in "%{[fields][mytype]}" - thank you Magnus!