Filter not working when something has a period in it's name


(Ben Hoffman) #1

So I need to write a filter that changes all the periods in field names to underscores. I amusing mutate, and I can do some things and not other things. For reference here is my current output in Kibana.

See those fields that say "packet.event-id" and so forth? I need to rename all of those. Here is my filter that I wrote and I do not know why it doesn't work

The problem is that I CAN add a field, and the renaming of "offset" WORKS. But when I try and do the packet one nothing changes. I feel like this should be simple and I am very confused as to why only the one with a period in it doesn't work.

I have refreshed the index in Kibana, and still nothing changes. Anyone have a solution?


(Magnus B├Ąck) #2

Why not just use the de_dot filter?


(Ben Hoffman) #3

The documentation says that it is expensive, and has to copy each field's data to a whole new reference.

"It should only be used if no other options are available."


(Ben Hoffman) #4

Logstash also seems to be ignoring that these fields that start with "packet" are even there. The reason I say that is because I did this:

mutate {
 add_field => {
"my_packet_event_id" => "%{packet.event-id}"
} 

and it did not work either. The field was added but the value was literally a strring that said

    %{packet.event-id}

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.