How to rename fields

mikygee · August 15, 2017, 9:07am

Hello,

I have grok rules that work fine to match the OS and user agent
filter {
if [program] == "nginx" {

    grok {
        break_on_match => true
        match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
        tag_on_failure => ["nginx_access_parsing_failed"]
        remove_tag => ["_grokparsefailure"]
        add_tag => ["Web"]
        add_tag => ["Nginx"]
    }
    if [http_user_agent] != "-" and [http_user_agent] != "" {
        useragent {
            source => "http_user_agent"
        }
    }
    if "UA" in [tags] {
        if [device] == "Other" { mutate { remove_field => "device" } }
        if [name]   == "Other" { mutate { remove_field => "name" } }
        if [os]     == "Other" { mutate { remove_field => "os" } }
    }
  }
}

However I would like to rename the terms device, name, os that seem to generic in http_client_device, http_client_browser, http_client_os,

How can I do that ?

Thank you

mikygee · August 15, 2017, 10:09am

I tried that but it doesn't work

grok {
    break_on_match => true
    match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
    tag_on_failure => ["nginx_access_parsing_failed"]
    remove_tag => ["_grokparsefailure"]
    add_tag => ["Web"]
    add_tag => ["Nginx"]
}
if [http_user_agent] != "-" and [http_user_agent] != "" {
    useragent {
        source => "http_user_agent"
    }
}
if "UA" in [tags] {
    if [device] == "Other" { mutate { remove_field => "device" } }
    if [name]   == "Other" { mutate { remove_field => "name" } }
    if [os]     == "Other" { mutate { remove_field => "os" } }
    mutate {
        rename => [ "name", "http_client_browser" ]
}
}
  }
}

magnusbaeck · August 15, 2017, 11:05am

Where is the UA tag added? Please show an example of an event that Logstash has produced. Use a stdout { codec => rubydebug } output.

mikygee · August 15, 2017, 12:20pm

Thank you for your reply.
The error was under my eyes but I couldn't see it. I had removed the UA tag thinking it was useless. But it was match by the if condition.
Have a nice day

Topic		Replies	Views
Altering the content of a field Logstash	3	588	August 11, 2017
Logstash Grok Filter _tags vs _fields Logstash	5	2279	March 17, 2017
Remove logstash automatic fields Logstash	3	528	July 6, 2017
Want to Change a Field Name (Not a Field Value) Logstash	2	16704	July 6, 2017
Rename Fields Logstash	2	340	June 14, 2018

How to rename fields

Related topics