Filter add_field

skylamp · January 21, 2019, 4:13am

Hi

I am new to ELK. Need some help with some specific filters.
I am fetching some data from a table using a logstash.conf file.

I wanted to do this:
If status of a user is a or b or c, add a field marking them as X
If status is d or e, add a field marking this type of data as Y

I did the following and tried adding a field called "progress", but the add_field didn't add the progress field

filter {
if [Status] == "In Progress"{
mutate {
add_field => [ "progress", "doing" ]
}
}
elseif [Status]=="Not Started" or [Status]=="Hold" {
mutate {
add_field => [ "progress", "stopped" ]
}
}
elseif [Status] == "Retired" or [Status] == "Production" or [Status] == "Decom" {
mutate {
add_field => [ "progress", "complete" ]
}
}
}

I want to create a data table in kibana based on this progress field, but it is not showing up.
Am I doing something wrong?

Regards
Arshdeep

Badger · January 21, 2019, 1:06pm

mutate+add_field expects a hash, not an array, so you should be doing

mutate { add_field => { "progress" => "doing" } }

instead of

mutate { add_field => [ "progress", "doing" ] }

But it will do an implicit conversion from array to hash for you, so that does not stop things working. That implies that your conditionals such as

if [Status] == "In Progress"{

are not working the way you expect. Can you show us what an event looks like in the JSON tab in Kibana?

system · February 18, 2019, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.