Bug or my usage of Mutate filter?

LeeSyd · February 8, 2016, 4:22pm

Not sure if this is a bug or I'm not getting the syntax right with the Mutate filter but I'm trying to configure Topbeat and mutate the field name to match others I already have in elasticsearch.

I've got:

                    rename => {
                            "host" => "server"
                    }

which works successfully but changing it to:

                    rename => {
                            "beat.hostname" => "server"
                    }

does not - nothing with a "." in the field name. The same issue if I try to add a new field and assign value from an existing field with a "." in the name:

                    add_field => {
                            "server" => "%{beat.hostname}"
                    }

I've tried escaping with a \ but that has not worked. Am I missing something?

Thanks,

Lee

magnusbaeck · February 9, 2016, 7:31pm

See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references for which syntax to use for subfields.

LeeSyd · February 10, 2016, 12:02pm

Great - that's sorted it, thank you.

Code is now:

                rename => {
                        "[beat][hostname]" => "server"
                }

or

                add_field => [
                        "server" => "%{[beat][hostname]}"
                }

Thanks for the guidance,

Lee