Dynamic dictionary in translate plugin

MartinG · October 10, 2018, 11:42am

Hello community!

I would like to use a dynamic dictionary with the translate plugin. Is this possible?

The use case is, to define a dictionary in the "fields" configuration of filebeat and to check each element of the dictionary, if it exists in the message field (regex).

I tested it with this logstash configuration and it would be great if a variable could be used for the dictionary.

input {
  stdin {
  }
}

filter {

  mutate {
    add_field => { mydict => ["abc","ok", "ABC","ok"] }
  }

      translate {
        field       => "[message]"
        destination => "[matched]"

    # working:
    # dictionary  => [ "abc", "ok",
    #                 "ABC", "ok" ]

    # Does not work:
    dictionary  => "%{mydict}"
    exact       => true
    regex       => true
  }

  if [matched] == "ok" {
    mutate {
      add_field => ["match","OK"]
    }
  }
}

output {
  stdout {
    codec => rubydebug {
      metadata => true
    }
  }
}

Any ideas?

system · November 7, 2018, 11:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.