How to create a custom document

Kernel_Panic · November 6, 2019, 3:30pm

Hello
I was able to configure the following:
From the json document I have this:

"MyValue": "Key value based on a specific field",

"host": {
"name": "hostname"
},

"tags": [
"beats_input_codec_plain_applied",
],

... SNIP ...

I would like to create some similar instead of having key:value like this

"MyValue" : {
"name": "content from the specific field"
}

Or something like this:

"MyTags": [
"product_tag",
"another_custom_tag",,
],

Did I myself clear? is that possible to do with logstash?
Thanks
Regards

ben.west · November 7, 2019, 2:05pm

You can use the add_field and add_tag common options inside any filters (and most if not all of the input and output plugins if I recall correctly). With these you can construct any shape of hash you wish at the "output" side of logstash.

If you want a little more detail, it would be helpful if you share some of your input data and your logstash configuration. We could then possibly offer other ways to achieve your end goal.

Kernel_Panic · November 7, 2019, 6:06pm

@ben.west Hello, thanks for your help
I have a log which contains something like this:

20191030102428 ,XX,CONDITION_COLOR,SYSTEM~JAVA~hostname_SYSTEMID_00,Errors message

First column is a time stamp, XX can be an alert condition , condition_color can be RED, GREEN or something, the rest of the columns are descriptions about the system triggering the alert, so far
so good with that.

Then I have this filter to rename default name column names.

filter {
	csv { autodetect_column_names => false }
		mutate {
		 rename => { "column4" => "Description" }
		 rename => { "column2" => "Severity" }
		 rename => { "column3" => "Status" }
		 rename => { "column5" => "Alert_Description" }
		 rename => { "column1" => "Alert_TimeStamp" }
		 
	  }
}

With that configuration I get for example, on the document root:
Status: GREEN

But I would like to have something like this:

Status": [
"GREEN"
],
Or

"Status_Tag": {
"name": "GREEN""
},

Thanks
Regards

ben.west · November 11, 2019, 11:08am

Hi @Kernel_Panic,

You can use the nested notation to create/rename columns as you wish like this:
rename => { "column3" => "[status_tag][name]" }

Which will create a hash in the output object:

{
             "@version" => "1",
                 "path" => "/tmp/test.csv",
              "message" => "20191030102428 ,XX,CONDITION_COLOR,SYSTEM~JAVA~hostname_SYSTEMID_00,Errors message",
             "Severity" => "XX",
          "Description" => "SYSTEM~JAVA~hostname_SYSTEMID_00",
    "Alert_Description" => "Errors message",
      "Alert_TimeStamp" => "20191030102428 ",
                 "host" => "d506bfbd5ab6",
           "@timestamp" => 2019-11-11T11:01:02.357Z,
           "status_tag" => {
        "name" => "CONDITION_COLOR"
    }
}

The config reference for events is a great place to get started using and understanding nested fields.

Thanks,
Ben

Kernel_Panic · November 11, 2019, 12:26pm

@ben.west thank you very much.!!
Regards

system · December 9, 2019, 12:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash: Adding custom field to documennt Logstash	6	1176	August 8, 2018
Get the name of the log file and create a tag or a custom field with that value Logstash	2	275	June 25, 2021
How to create custom document _id in logstash? Logstash	7	10702	February 20, 2018
Customize document fields in elasticsearch Logstash	2	234	August 8, 2018
Create a custom id from a a database columns Logstash	9	1024	January 16, 2019

How to create a custom document

Related topics