I want to add new field and replace the one of the existing field value to the newly added field

satyam2593 · August 15, 2019, 6:31am

The below is the input for the config file.. Here i want to grep the date from the one of the line and store into a field(called logdate).. Later i want to create the new field(called log_timestamp) with null value and replace that null value with logdate field value..

For the second line, the log_timestamp field is getting the value from the logdate field.. But next lines it is not getting

My stdin input:

START the log printing 08/08/19 09:10:06 343

PID|THREAD NAME|CPU UTILIZATION|MEMORY UTILIZATION
7066|DestroyJavaVM|0.0|11.3
7072|Reference Handler|0.0|11.3
31204|qtp1459076321-3197|0.0|11.3

END the log printing 08/08/19 09:10:06 831

My config file:
filter
{

     mutate
     {
     add_field=>{"log_timestamp"=>""}
     }
	if [message] =~ /^[-\/]/
    {
            drop{}

    }
    if "START" in [message]
    {
		grok 
			{
            match => { "message" => "%{GREEDYDATA} (?<logdate>%{MONTHDAY}/%{MONTHNUM}/%{YEAR}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{NUMBER})"}
			}	
	}
	else
	{
		grok
			{
			 match=> {"message" => "%{INT:Thread_Id}\|%{GREEDYDATA:Thread_Name}\|%{BASE16FLOAT:CPU_Utilization}\|%{BASE16FLOAT:Memory_Utilization}"}
			}
		
	}
	if "END the log printing" in [message]
    {
            drop{}
    }
	
	if "PID" in [message]
    {
		drop {}
    }
	mutate
       {
          replace => {"log_timestamp"=> " %{logdate}"}
       }	
}

Output:
{
"@timestamp" => 2019-08-15T06:19:31.505Z,
"logdate" => "08/08/19 09:10:06 343",
"@version" => "1",
"log_timestamp" => " 08/08/19 09:10:06 343",
"host" => "localhost.localdomain",
"message" => "START the log printing 08/08/19 09:10:06 343"
}
{
"@timestamp" => 2019-08-15T06:19:31.506Z,
"@version" => "1",
"log_timestamp" => " %{logdate}",
"PID" => "7066",
"THREAD NAME" => "DestroyJavaVM",
"host" => "localhost.localdomain",
"message" => "7066|DestroyJavaVM|0.0|11.3",
"CPU UTILIZATION" => "0.0",
"MEMORY UTILIZATION" => "11.3"
}
{
"@timestamp" => 2019-08-15T06:19:31.507Z,
"@version" => "1",
"log_timestamp" => " %{logdate}",
"PID" => "7072",
"THREAD NAME" => "Reference Handler",
"host" => "localhost.localdomain",
"message" => "7072|Reference Handler|0.0|11.3",
"CPU UTILIZATION" => "0.0",
"MEMORY UTILIZATION" => "11.3"
}
{
"@timestamp" => 2019-08-15T06:19:31.507Z,
"@version" => "1",
"log_timestamp" => " %{logdate}",
"PID" => "31204",
"THREAD NAME" => "qtp1459076321-3197",
"host" => "localhost.localdomain",
"message" => "31204|qtp1459076321-3197|0.0|11.3",
"CPU UTILIZATION" => "0.0",
"MEMORY UTILIZATION" => "11.3"
}

system · September 13, 2019, 4:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to assign the extracted data from log file to new added fields Logstash	6	284	September 27, 2020
Adding new fields from grok filter in logstash Logstash	1	547	November 20, 2018
Logstash replace existing fields & file input advice Logstash	4	771	November 30, 2020
How to create a new field by extracting data from already generated field? Logstash	5	462	November 7, 2018
I cant set values in new fields Logstash	2	442	February 11, 2020

I want to add new field and replace the one of the existing field value to the newly added field

My stdin input:

START the log printing 08/08/19 09:10:06 343

PID|THREAD NAME|CPU UTILIZATION|MEMORY UTILIZATION 7066|DestroyJavaVM|0.0|11.3 7072|Reference Handler|0.0|11.3 31204|qtp1459076321-3197|0.0|11.3

END the log printing 08/08/19 09:10:06 831

Related topics

PID|THREAD NAME|CPU UTILIZATION|MEMORY UTILIZATION
7066|DestroyJavaVM|0.0|11.3
7072|Reference Handler|0.0|11.3
31204|qtp1459076321-3197|0.0|11.3