Filter mutate replace field value with value of another field

Chris_Clifton · January 7, 2016, 5:27pm

Hoping this is a simple syntax issue,

I'm adding a tag to events from filebeat on the client shipper,

 fields:
     tag_hostname: "Dev Server"

host value is already present in LS, I want to replace the value of the host field with the value in fields.tag_hostname,

 filter {
 mutate {
    update => { "host" => "[fields.tag_hostname]" }
     }
 }

I've tried all manner of syntax, ("host" => "%{fields.tag_hostname}" , "host" => "%{[fields.tag_hostname}]" etc , none seem to work, host field keeps being replaced with the literal of whatever is between the quotes. Tried without quotes, of course that doesn't work.

magnusbaeck · January 7, 2016, 5:43pm

filter {
  mutate {
    update => { "host" => "%{[fields][tag_hostname]}" }
  }
 }

See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references and the following section.

Chris_Clifton · January 7, 2016, 5:49pm

awesome! that's what I was looking for, thanks for the quick reply!