Filter if condition in Logstash

Elastic Stack Logstash
1

Hello,

I'm new in Elastic and now I'm trying to modify fields with if condition, but it doesn't work.
Note that I've no error after restarting Logstash.
I just want to create a new field (this part is ok) and then I want to update or replace (don't know the best way) my new field.
Here is my filter :

filter {
  mutate {
  add_field => { "port.name" => "Port name" }
  }
  if  (url.port) == "13000" {
    mutate {
    replace => { [port.name] => "Kaspersky" }
    }
  }
}

Someone can help me ???? Please.

2

Hi,

Can you update your if condition as below and check If it works

  if([url][port]== "13000"){
    mutate {
    replace => { [port][name] => "Kaspersky" }
    }
  }
3

Thanks for your help, but it doesn't work.
I also tried to write if condition like this :

if("[url][port]" == "13000"){
    mutate {
    replace => { "[port][name]" => "Kaspersky" }
    }
  }

by adding " but not better.

An other try I made was :

if("[url][port]"== 13000){
    mutate {
    replace => { "[port][name]" => "Kaspersky" }
    }
  }

by deleting the " of 13000 because the field url.port is an integer.

I'm turning around...

4

Please provide your input data, so that I can try on my side too

5

Do you want the JSON from Kibana ?

{
  "_index": "heartbeat-2019.06.26",
  "_type": "_doc",
  "_id": "9mXRk2sBZ5JtzLdILpq2",
  "_score": 1,
  "_source": {
    "url": {
      "full": "tcp://example.net:13000",
      "scheme": "tcp",
      "domain": "example.net",
      "port": 13000
    },
    "@timestamp": "2019-06-26T12:44:47.044Z",
    "host": {
      "os": {
        "kernel": "4.18.0-21-generic",
        "name": "Ubuntu",
        "platform": "ubuntu",
        "version": "18.04.2 LTS (Bionic Beaver)",
        "codename": "bionic",
        "family": "debian"
      },
      "name": "example",
      "id": "123699f28ff345a28ecf7cc208e6a543",
      "architecture": "x86_64",
      "containerized": false,
      "hostname": "example"
    },
    "resolve": {
      "rtt": {
        "us": 2375
      },
      "ip": "192.168.1.2"
    },
    "ecs": {
      "version": "1.0.0"
    },
    "monitor": {
      "name": "",
      "status": "up",
      "type": "tcp",
      "duration": {
        "us": 4186
      },
      "id": "auto-tcp-0X28C61C257AAC6812-530d2ef90fbce828",
      "check_group": "0a424351-9810-11e9-a811-00155de82c05",
      "ip": "192.168.1.2"
    },
    "portname": "port name",
    "event": {
      "dataset": "uptime"
    },
    "@version": "1",
    "tcp": {
      "rtt": {
        "connect": {
          "us": 1755
        }
      }
    },
    "tags": [
      "beats_input_raw_event"
    ],
    "agent": {
      "id": "ebcd1dd7-9ac3-4695-b470-3ed56228d332",
      "ephemeral_id": "23b63eff-e498-437c-b0a5-714759fb13f6",
      "hostname": "example",
      "type": "heartbeat",
      "version": "7.1.1"
    },
    "summary": {
      "down": 0,
      "up": 1
    }
  },
  "fields": {
    "@timestamp": [
      "2019-06-26T12:44:47.044Z"
    ]
  }
}
6

Try

if [url][port] == 13000 {
1 Like
7

Not better.
When I try like you said, no log is send to Kibana.
I must write like this with the quotes :

if "[url][port]" == 13000 {
8

I appologize, I forgot to delete a bracket...oups
Now it works !!!

Thank you @Badger you solved my problem. Also thanks to @sjabiulla for your help.

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.