Filter to change the field name to be more user friendly

Shreesh_Narayanan · September 7, 2021, 1:53pm

Hello,

I have a log line for diskusage such as

disk-usage: [1]=76% [2]=26% [3]=26% [4]=24% [5]=24% [6]=28%

i used dissect and kv to get the values as needed .

{
    "@timestamp" => 2021-09-06T08:22:46.944Z,
             "4" => "24%",
             "1" => "76%",
             "6" => "28%",
             "5" => "24%",
             "3" => "26%",
             "2" => "26%"
}

However i needed to rename the field name to something more user friendly . such as renaming [1]=>"76%" to disk#1 => "76%" . I have logs from various machines that have varying number of disks on them . would mutate's rename filter help ? i tried and it doesnt seem to be working .

	dissect
	{
	mapping => {"message" => "%{time}|%{threadID}|%{?rest}:%{DISK}"}
	}
	kv 
	{
	source => "DISK"
	trim_value => "="
	}
	mutate
	{
	rename => {"[0-9]" => "Disk [0-9]"}
	}	
	}

Badger · September 7, 2021, 2:32pm

I explained how to do that the last time I answered this question for you.

Shreesh_Narayanan · September 8, 2021, 4:38am

Thank you @Badger . I lost track of that thread .

system · October 6, 2021, 4:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.