Filter mutate replace field value with value of another field

Chris_Clifton · January 7, 2016, 5:27pm

Hoping this is a simple syntax issue,

I'm adding a tag to events from filebeat on the client shipper,

 fields:
     tag_hostname: "Dev Server"

host value is already present in LS, I want to replace the value of the host field with the value in fields.tag_hostname,

 filter {
 mutate {
    update => { "host" => "[fields.tag_hostname]" }
     }
 }

I've tried all manner of syntax, ("host" => "%{fields.tag_hostname}" , "host" => "%{[fields.tag_hostname}]" etc , none seem to work, host field keeps being replaced with the literal of whatever is between the quotes. Tried without quotes, of course that doesn't work.

magnusbaeck · January 7, 2016, 5:43pm

filter {
  mutate {
    update => { "host" => "%{[fields][tag_hostname]}" }
  }
 }

See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references and the following section.

Chris_Clifton · January 7, 2016, 5:49pm

awesome! that's what I was looking for, thanks for the quick reply!

Topic		Replies	Views
Mutate filter replace - please clarify the documentation Logstash	3	292	September 6, 2018
Logstash mutate replace field Logstash	7	3408	May 16, 2017
Mutate - replace source value Logstash	8	28216	July 6, 2017
Mutate - replace field string using another pattern Logstash	3	4360	December 26, 2016
Mutate filter Logstash	3	268	August 6, 2018

Filter mutate replace field value with value of another field

Related topics