How to swap field values

Elastic Stack Logstash
1

Hi, I need to swap values between two fields.
I have:
"field1" : "value1"
"field2" : "value2"
I need:
"field1" : "value2"
"field2" : "value1"
Can I do it with help of some filter-plugin?

2

You can use mutate-copy with combination @metadata

Something like this

 mutate {
         copy => { "field2" => "[@metadata][tmp]" }
      }
 mutate {
         copy => { "field1" => "field2" }
         copy => { "[@metadata][tmp]" => "%{field1}" }
      }

If you need more fields, array or similar, you should use ruby and loop.

3

In fact I need to swap 3 fields, so my config looks like:

mutate {
  copy => {
    "fld_1" => "[@metadata][t_1]"
    "fld_2" => "[@metadata][t_2]"
    "fld_3" => "[@metadata][t_3]"
  }
}
mutate {
  copy => {
    "fld_10" => "fld_1"
    "fld_20" => "fld_2"
    "fld_30" => "fld_3"
    "[@metadata][t_1]" => "%{fld_10}"
    "[@metadata][t_2]" => "%{fld_20}"
    "[@metadata][t_3]" => "%{fld_30}"
  }
}

As a result I has:
(before)

"fld_1" : "val_1"
"fld_2" : "val_2"
"fld_3" : "val_3"
"fld_10" : "val_10"
"fld_20" : "val_20"
"fld_30" : "val_30"

(after)

"fld_1" : "val_10"
"fld_2" : "val_20"
"fld_3" : "val_30"
"fld_10" : "val_10"
"fld_20" : "val_20"
"fld_30" : "val_30"

what's wrong?

4

Nothing in your filters modifies fld_10/20/30.

5

My mistakes, sorry:

  1. It's not "%{field1}", it should be: "field1" in 2nd "copy"
  2. Cannot replace value field1 in the one mutate sequence. The mutate operation is like a SQL transaction.

Each mutation must be in its own code block if the sequence of operations needs to be preserved.

input {
  generator {
       message => "Test message"
	   count => 1
  }
}
filter {

   mutate { 
    add_field => { 
    "[fld_1]" => "val_1" 
    "[fld_2]" => "val_2" 
    "[fld_3]" => "val_3" 
    } 
   }

   mutate { 
    add_field => { 
    "[fld_10]" => "val_10" 
    "[fld_20]" => "val_20" 
    "[fld_30]" => "val_30" 
    } 
   }
  
	mutate {
	  copy => {
		"fld_1" => "[@metadata][t_1]"
		"fld_2" => "[@metadata][t_2]"
		"fld_3" => "[@metadata][t_3]"
	  }
	}
	mutate {
	  copy => {
		"fld_10" => "fld_1"
		"fld_20" => "fld_2"
		"fld_30" => "fld_3"
	  }
	}
	mutate {
	  copy => {
		"[@metadata][t_1]" => "fld_10"
		"[@metadata][t_2]" => "fld_20"
		"[@metadata][t_3]" => "fld_30"
	  }
	}
   mutate {  remove_field => ["@version", "event", "host", "@timestamp", "message"] }

}

output {
    stdout { codec => rubydebug{ metadata => true} }
}

Result:

{
       "fld_20" => "val_2",
       "fld_30" => "val_3",
    "@metadata" => {
        "t_2" => "val_2",
        "t_3" => "val_3",
        "t_1" => "val_1"
    },
        "fld_3" => "val_30",
        "fld_2" => "val_20",
       "fld_10" => "val_1",
        "fld_1" => "val_10"
}
1 Like