Is there a way to give each mutate task a friendly name?

hassanbabaie · February 22, 2018, 1:48am

I've searched and not really found a clear example:

I have a lot of mutate tasks and I'm trying to understand where I am having some issues with log processing.

However when I run the local node stat command:

curl -XGET 'localhost:9600/_node/stats/pipelines/main?pretty'

I can't really tell which "mutate" task is which and so can't tell which is having more IN then OUT.

An example of my mutate's are below:

Any advice would be greatly appreciated

filter {
    split { field => "[records]" }
    split { field => "[records][properties][flows]"}
    split { field => "[records][properties][flows][flows]"}
    split { field => "[records][properties][flows][flows][flowTuples]"}

    mutate{
            add_field => {
                            "time" => "%{[records][time]}"
                            "systemId" => "%{[records][systemId]}"
                            "category" => "%{[records][category]}"
                            "operationName" => "%{[records][operationName]}"
                            "Version" => "%{[records][properties][Version]}"
                            "rule" => "%{[records][properties][flows][rule]}"
                            "mac" => "%{[records][properties][flows][flows][mac]}"
            }
    }

    mutate{
            convert => {"unixtimestamp" => "integer"}
            convert => {"srcPort" => "integer"}
            convert => {"destPort" => "integer"}
    }

    mutate{
            split => { "[records][resourceId]" => "/"}
            add_field => {
                            "Subscription" => "%{[records][resourceId][2]}"
                            "ResourceGroup" => "%{[records][resourceId][4]}"
                            "NetworkSecurityGroup" => "%{[records][resourceId][8]}"
            }
    }

    mutate{
                    convert => {"Subscription" => "string"}
                    convert => {"ResourceGroup" => "string"}
                    convert => {"NetworkSecurityGroup" => "string"}
    }

    mutate{
            split => { "[records][properties][flows][flows][flowTuples]" => ","}
            add_field => {
                            "unixtimestamp" => "%{[records][properties][flows][flows][flowTuples][0]}"
                            "srcIp" => "%{[records][properties][flows][flows][flowTuples][1]}"
                            "destIp" => "%{[records][properties][flows][flows][flowTuples][2]}"
                            "srcPort" => "%{[records][properties][flows][flows][flowTuples][3]}"
                            "destPort" => "%{[records][properties][flows][flows][flowTuples][4]}"
                            "protocol" => "%{[records][properties][flows][flows][flowTuples][5]}"
                            "trafficflow" => "%{[records][properties][flows][flows][flowTuples][6]}"
                            "traffic" => "%{[records][properties][flows][flows][flowTuples][7]}"
                            "short_message" => "JSON test short_message"
                            "host" => "jsonTest"
            }
    }

Shaoranlaos · February 22, 2018, 6:36am

on each filter that you configure you can set an id taht is shown in the api output

...
mutate{
    id => "your frindly name"
    convert => {"Subscription" => "string"}
    convert => {"ResourceGroup" => "string"}
    convert => {"NetworkSecurityGroup" => "string"}
}
...

hassanbabaie · February 22, 2018, 6:17pm

Thanks Shaoranlaos, this worked perfectly!

Now I know which filter/add field activity is causing me my issue!

Hass

system · March 22, 2018, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.