How to convert type for field like a.b in mutate plugin?

Elastic Stack Logstash
1

As I said here,

And now I change my config to:

if "geo_parse_succeed" in [tags] {
    mutate {
      add_field => {"geoip.location.lon" => "%{longitude}"}
      add_field => {"geoip.location.lat" => "%{latitude}"}
      convert => [ "geoip.location.lon", "float" ]
      convert => [ "geoip.location.lat", "float" ]
      convert => [ "longitude", "float" ]
      convert => [ "latitude", "float" ]
    }
  }

But I find:

  "_source": {
    "latitude": 45.7656666,
    "longitude": 126.6160584,
    "geoip.location.lon": "126.6160584",
    "geoip.location.lat": "45.7656666"
  }

It seems convert doesn't work for field like a.b. So, what should I do if I want to convert a.b to float?

2

As documented, subfield references have the form [a][b].

3

Really Thanks, but one more question:

Any difference between: add_field => {"geoip.location.lon" => "%{longitude}"} and add_field => {"[geoip][location][lon]" => "%{longitude}"}?

4

Yes. a.b.c is a field named "a.b.c" while [a][b][c] means an hiearchy of fields starting with "a" having a subfield "b" having a subfield "c".

5

Really thanks! I changed my config to

mutate {
  add_field => {"[geoip][location][lon]" => "%{longitude}"}
  add_field => {"[geoip][location][lat]" => "%{latitude}"}
  convert => [ "[geoip][location][lon]", "float" ]
  convert => [ "[geoip][location][lat]", "float" ]
}

And it works.

But I still wonder why add_field a.b.c then convert a.b.c doesn't work?

As you said add_field a.b.c means add a field named a.b.c, and we convert the field which named a.b.c to float. I think it should be right.

6

But I still wonder why add_field a.b.c then convert a.b.c doesn't work?

Let's keep that discussion in the other thread: