Thomas74
September 22, 2020, 9:33am
1
Hi,
I'm trying to assign a value to a field. This one is the same than another variable.
Here is my filter :
filter{
if !([fields][hostgroup]) {
mutate {
update => { "[fields][hostgroup]" => "default" }
}
}
mutate {
add_field => { "[@metadata][indexName]" => "%{[fields][hostgroup]}" }
}
I use [@metadata][indexName] to create an index use a specific index into my output :
index => "syslog_%{[@metadata][indexName]}"
The problem is my final index name is equal at : syslog_%{[fields][hostgroup]}
Can you help me to find my mistake ?
Best regards,
Thomas
Thomas74
September 25, 2020, 8:31am
2
I tests this config also :
if [type] != "forti_log" and [type] != "syslog" and [type] != ""{
mutate {
update => { "[@metadata][indexName]" => "${[type]}" }
}
}
But same result
syslog_${[type]}
On other forum they said that you can assign an object to another object like this but it doesn't work. What is the good syntax ?
Badger
September 25, 2020, 2:09pm
3
Look in the syslog_%{[fields][hostgroup]} index and see what value the [fields][hostgroup] field has.
Thomas74
September 25, 2020, 2:39pm
4
I finally found my mistake. I had to use mutate copy instead of "add_field" or "update". But thanks @Badger for your answer.
system
October 23, 2020, 2:39pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
: