Hi Experts,
I want to create a filed (pri_caption) in logstash based on a condition i.e
addfield pri_caption {
if priority between 1 to 3 then "low"
else if priority between 4 to 7 then "medium"
elase High
}
Please suggest how I can achieve this ?
Thanks
VG
Example:
filter {
if [priority] >= 1 and [priority] <= 3 {
mutate {
add_field => ["pri_caption", "low"]
}
}
}
If there's an enumerable number of priorities you could also use the translate filter.
Thanks Magnus,
May I achieve the same with scripted filed as well, I mean what if I do not want to do this in LS . What if I want to achieve this at the time of search in kibana ?
Thanks
VG
You should be able to set up a scripted field for this. Lucene expressions support the ternary operator so if you just want "low", "medium", or "high" depending on the value of a numerical field it should be trivial.
so I tried this but it does not work
doc['priority'].value == 9 ? high : low
You'll have to double-quote the strings, but glancing at the docs I'm not sure strings are supported in Lucene expressions. You may have to enable Groovy scripts, but I'm out of my depth here.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.