How to assign a new field a certain type and value?

Elastic Stack Logstash
1

Hi,

I´m using the grok filter to process logs. Everything works fine but I can´t find a solution for the following problem:

I need to extract a numerical value out of my log files. There are two ways they appear in the logs. Firstly, as a numerical value from 2-x, which is pretty easy to extract. Secondly they appear as "one", which is a string right. Here is what I´d like to do. When the pattern matches, I want to add a new field with a certain type (integer) and assign this field a certain value (1). I tried the mutate statement with
add_field => { somefield => 1 } and serveral other possibilites e.g. the convert statement. But still when I take a look at the field in Kibana the type still is string.
It is important for me because I want to visualize Logs via Kibana and at the moment I can only process log messages that contain values from 2-x.

Thank you guys
Marv

1 Like
2

Perhaps surprisingly, mutate { add_field => { somefield => 1 } } doesn't actually add an integer field:

$ cat test.config
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
  mutate {
    add_field => { "somefield" => 1 }
  }
}
$ echo 'foo' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
{
       "message" => "foo",
      "@version" => "1",
    "@timestamp" => "2015-11-09T19:45:06.364Z",
          "host" => "hallonet",
     "somefield" => "1"
}
Logstash shutdown completed

Use a second mutate filter to convert the field.

3

Thanks Magnus,
your proposition actually worked. It worked the following.

filter{
mutate { add_field => {"somefield" => 1} }
mutate { convert => ["somefield","float] }
}

Update:
Perhaps less suprisingly
mutate {convert => ["somefield","interger"]}

also works :slight_smile:

3 Likes