Filter add_field

skylamp · January 21, 2019, 4:13am

Hi

I am new to ELK. Need some help with some specific filters.
I am fetching some data from a table using a logstash.conf file.

I wanted to do this:
If status of a user is a or b or c, add a field marking them as X
If status is d or e, add a field marking this type of data as Y

I did the following and tried adding a field called "progress", but the add_field didn't add the progress field

filter {
if [Status] == "In Progress"{
mutate {
add_field => [ "progress", "doing" ]
}
}
elseif [Status]=="Not Started" or [Status]=="Hold" {
mutate {
add_field => [ "progress", "stopped" ]
}
}
elseif [Status] == "Retired" or [Status] == "Production" or [Status] == "Decom" {
mutate {
add_field => [ "progress", "complete" ]
}
}
}

I want to create a data table in kibana based on this progress field, but it is not showing up.
Am I doing something wrong?

Regards
Arshdeep

Badger · January 21, 2019, 1:06pm

mutate+add_field expects a hash, not an array, so you should be doing

mutate { add_field => { "progress" => "doing" } }

instead of

mutate { add_field => [ "progress", "doing" ] }

But it will do an implicit conversion from array to hash for you, so that does not stop things working. That implies that your conditionals such as

if [Status] == "In Progress"{

are not working the way you expect. Can you show us what an event looks like in the JSON tab in Kibana?

system · February 18, 2019, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter if condition in Logstash Logstash	8	19412	July 24, 2019
Add new field based on value in event_data Beats winlogbeat	3	797	September 29, 2017
Logstash not adding new field tag Logstash	3	302	December 4, 2020
Issues with Logstash Conditionals inside filter Logstash	7	374	May 10, 2019
Adding new field based on AND Condition Logstash	4	502	January 14, 2021

Filter add_field

Related topics