Conditional checks in mutate gsub

Elastic Stack Logstash
1

Hello,

When parsing WAS System out logs, I want to check the EventType and replace the abbreviation with full Description.
like
EventType (Replace with) Full Description

"I" --> "Informational"
"F" --> "Fatal"
"D" --> "Detail"
"A" --> "Audit" etc..

I have the syntax something like this.. but not sure which is correct and very efficient for my conditional checks.

Syntax A

mutate{
    	gsub => ["EventType","I","Informational"]
    	gsub => ["EventType","F","Fatal"]
    	gsub => ["EventType","D","Detail"]
    	gsub => ["EventType","A","Audit"]
}

Syntax B

mutate{

    if EventType == "I" {
    	gsub => ["EventType","I","Informational"]
    }else if EventType == "F" {
    	gsub => ["EventType","F","Fatal"]
    }else if EventType == "D" {
    	gsub => ["EventType","D","Detail"]
    }else if EventType == "A" {
    	gsub => ["EventType","A","Audit"]
    }

}

Which is correct ? or suggest me the correct and efficient systax.
Thanks in Advance.

Thanks
Fredrick

2

Syntax B will not work, you cannot have a conditional inside a filter. Syntax A would work, although it could be a single gsub instead of 4.

You could also use a translate filter.

3

Thanks for the response Badger.

this is the gsub syntax

mutate{
	gsub =>[ "EventType","I","Informational", 
             "EventType","F","Fatal",  
             "EventType","D","Detail", 
             "EventType","A","Audit" ]
}

regarding translate filter, this could be the systax. please confirm.

translate{
	field => "EventType"
	dictionary => {
		"I"	=>	"Informational",
		"F"	=>	"Fatal",
		"D"	=>	"Detail",
		"A"	=>	"Audit"
	}
}

Now I have two ways to solve my problem.
But which one is very efficient ? mutate or translate filter

Advice me.. thanks

4

Those look right. I don't think it will make much difference in efficiency.

5

Okay .. Thank you very much Badger..

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.