Filter mutate replace field value with value of another field

Chris_Clifton · January 7, 2016, 5:27pm

Hoping this is a simple syntax issue,

I'm adding a tag to events from filebeat on the client shipper,

 fields:
     tag_hostname: "Dev Server"

host value is already present in LS, I want to replace the value of the host field with the value in fields.tag_hostname,

 filter {
 mutate {
    update => { "host" => "[fields.tag_hostname]" }
     }
 }

I've tried all manner of syntax, ("host" => "%{fields.tag_hostname}" , "host" => "%{[fields.tag_hostname}]" etc , none seem to work, host field keeps being replaced with the literal of whatever is between the quotes. Tried without quotes, of course that doesn't work.

magnusbaeck · January 7, 2016, 5:43pm

filter {
  mutate {
    update => { "host" => "%{[fields][tag_hostname]}" }
  }
 }

See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references and the following section.

Chris_Clifton · January 7, 2016, 5:49pm

awesome! that's what I was looking for, thanks for the quick reply!

Topic		Replies	Views
Bug or my usage of Mutate filter? Logstash	3	675	July 6, 2017
Mutate filter replace - please clarify the documentation Logstash	3	274	September 6, 2018
Update field value if it matches a certain word Logstash	4	3579	October 25, 2019
Filter mutate replace a field for specific value Logstash	4	145	April 25, 2024
Logstash mutate replace field Logstash	7	3384	May 16, 2017

Filter mutate replace field value with value of another field

Related topics