Filter if condition in Logstash

Hello,

I'm new in Elastic and now I'm trying to modify fields with if condition, but it doesn't work.
Note that I've no error after restarting Logstash.
I just want to create a new field (this part is ok) and then I want to update or replace (don't know the best way) my new field.
Here is my filter :

filter {
  mutate {
  add_field => { "port.name" => "Port name" }
  }
  if  (url.port) == "13000" {
    mutate {
    replace => { [port.name] => "Kaspersky" }
    }
  }
}

Someone can help me ???? Please.

Hi,

Can you update your if condition as below and check If it works

  if([url][port]== "13000"){
    mutate {
    replace => { [port][name] => "Kaspersky" }
    }
  }

Thanks for your help, but it doesn't work.
I also tried to write if condition like this :

if("[url][port]" == "13000"){
    mutate {
    replace => { "[port][name]" => "Kaspersky" }
    }
  }

by adding " but not better.

An other try I made was :

if("[url][port]"== 13000){
    mutate {
    replace => { "[port][name]" => "Kaspersky" }
    }
  }

by deleting the " of 13000 because the field url.port is an integer.

I'm turning around...

Please provide your input data, so that I can try on my side too

Do you want the JSON from Kibana ?

{
  "_index": "heartbeat-2019.06.26",
  "_type": "_doc",
  "_id": "9mXRk2sBZ5JtzLdILpq2",
  "_score": 1,
  "_source": {
    "url": {
      "full": "tcp://NPINF-MSOCWK01V.soc.fr:13000",
      "scheme": "tcp",
      "domain": "NPINF-MSOCWK01V.soc.fr",
      "port": 13000
    },
    "@timestamp": "2019-06-26T12:44:47.044Z",
    "host": {
      "os": {
        "kernel": "4.18.0-21-generic",
        "name": "Ubuntu",
        "platform": "ubuntu",
        "version": "18.04.2 LTS (Bionic Beaver)",
        "codename": "bionic",
        "family": "debian"
      },
      "name": "NPINF-WSOCLO04V",
      "id": "123699f28ff345a28ecf7cc208e6a543",
      "architecture": "x86_64",
      "containerized": false,
      "hostname": "NPINF-WSOCLO04V"
    },
    "resolve": {
      "rtt": {
        "us": 2375
      },
      "ip": "192.168.182.12"
    },
    "ecs": {
      "version": "1.0.0"
    },
    "monitor": {
      "name": "",
      "status": "up",
      "type": "tcp",
      "duration": {
        "us": 4186
      },
      "id": "auto-tcp-0X28C61C257AAC6812-530d2ef90fbce828",
      "check_group": "0a424351-9810-11e9-a811-00155de82c05",
      "ip": "192.168.182.12"
    },
    "portname": "port name",
    "event": {
      "dataset": "uptime"
    },
    "@version": "1",
    "tcp": {
      "rtt": {
        "connect": {
          "us": 1755
        }
      }
    },
    "tags": [
      "beats_input_raw_event"
    ],
    "agent": {
      "id": "ebcd1dd7-9ac3-4695-b470-3ed56228d332",
      "ephemeral_id": "23b63eff-e498-437c-b0a5-714759fb13f6",
      "hostname": "NPINF-WSOCLO04V",
      "type": "heartbeat",
      "version": "7.1.1"
    },
    "summary": {
      "down": 0,
      "up": 1
    }
  },
  "fields": {
    "@timestamp": [
      "2019-06-26T12:44:47.044Z"
    ]
  }
}

Try

if [url][port] == 13000 {

Not better.
When I try like you said, no log is send to Kibana.
I must write like this with the quotes :

if "[url][port]" == 13000 {

I appologize, I forgot to delete a bracket...oups
Now it works !!!

Thank you @Badger you solved my problem. Also thanks to @sjabiulla for your help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.