Issue in renaming fieldname which contains dots

Gauti · October 8, 2018, 2:30pm

Hi All,

I have been breaking my head in renaming a field value in logstash and got no solution.

Here is my field value result.caller_id.location.latitude and i'm trying to rename it to lalitude , the renaming filter accepts only single dots if i have two or more than two dots it simply doesnot do any work.

This is my filter

filter {
mutate { rename => { "result.caller_id.location.longitude" => "Longitude" } }
}

Have tried this as well, but no luck

filter {
mutate { rename => { "[result][caller_id][location][longitude]" => "Longitude" } }
}

Any help here please.

Thanks
Gauti

magnusbaeck · October 8, 2018, 7:33pm

Show us an example document (raw JSON please) so we can see exactly what it looks like.

Gauti · October 9, 2018, 7:10am

@magnusbaeck here is the document, its an xml file.

<result>
<close_code>null</close_code>
<assignment_group>Network</assignment_group>
<description>
I just moved from floor 2 to floor 3 and my laptop cannot connect to any wireless network.
</description>
<child_incidents/>
<closed_by/>
<number>INC0000003</number>
<contact_type>Chat Bot</contact_type>
<urgency>1 - High</urgency>
<sys_created_on>2014-02-23 06:41:46</sys_created_on>
<problem_id/>
<caller_id.location.longitude>-79.839616</caller_id.location.longitude>
<company>ACME North America</company>
<state>Active</state>
<reassignment_count>2</reassignment_count>
<caller_id.location.latitude>36.046332</caller_id.location.latitude>
<sys_created_by>admin</sys_created_by>
<assigned_to>Beth Anglin</assigned_to>
<knowledge>false</knowledge>
<severity>1 - High</severity>
<closed_at/>
<cmdb_ci/>
<impact>1 - High</impact>
<reopen_count>1</reopen_count>
<priority>1 - Critical</priority>
<caller_id.location>3030 High Point Rd, Greensboro NC</caller_id.location>
<escalation>Normal</escalation>
<resolved_at/>
<location>Salt Lake City</location>
<category>Network</category>
</result>

Thanks
Gauti

magnusbaeck · October 9, 2018, 6:39pm

No, the JSON document that Logstash produces. Copy/paste from Kibana's JSON tab or use stdout { codec => rubydebug } output (which doesn't produce JSON, but it does dump the raw event).

Gauti · October 10, 2018, 9:43am

@magnusbaeck here is the json from kibana

{
  "_index": "servicenow",
  "_type": "doc",
  "_id": "2Yj1XGYBMgAiRwMBIhZo",
  "_version": 1,
  "_score": null,
  "_source": {
    "http_poller_metadata": {
      "name": "url",
      "response_message": "OK",
      "request": {
        "url": "https://demo1.service-now.com/api/now/table/incident?sysparm_display_value=true&sysparm_exclude_reference_link=True&sysparm_fields=number%2Ccategory%2Cpriority%2Cstate%2Cassignment_group%2Cassigned_to%2Cchild_incidents%2Cclose_code%2Cclosed_at%2Cclosed_by%2Ccompany%2Ccmdb_ci%2Ccontact_type%2Csys_created_on%2Csys_created_by%2Cdescription%2Cescalation%2Cimpact%2Cknowledge%2Cproblem_id%2Creassignment_count%2Creopen_count%2Cresolved_at%2Cseverity%2Curgency%2Ccaller_id.location.latitude%2Ccaller_id.location.longitude",
        "method": "get"
      },
      "response_headers": {
        "set-cookie": "glide_session_store=1A3C023D4F89634054C8B1828110C7B0; Expires=Wed, 10-Oct-2018 09:26:56 GMT; Path=/; HttpOnly;Secure",
        "x-is-logged-in": "true",
        "expires": "0",
        "x-total-count": "117",
        "pragma": "no-store,no-cache",
        "server": "ServiceNow",
        "content-type": "application/json;charset=UTF-8",
        "date": "Wed, 10 Oct 2018 09:25:56 GMT",
        "x-transaction-id": "5a1b1af14fc9",
        "transfer-encoding": "chunked",
        "strict-transport-security": "max-age=63072000; includeSubDomains",
        "cache-control": "no-cache,no-store,must-revalidate,max-age=-1"
      },
      "times_retried": 0,
      "host": "0.0.0.0",
      "code": 200,
      "runtime_seconds": 0.289799
    },
    "@timestamp": "2018-10-10T07:51:00.847Z",
    "result": {
      "severity": "3 - Low",
      "resolved_at": "2015-10-21 12:56:12",
      "closed_by": "Don Goodliffe",
      "urgency": "3 - Low",
      "category": "Inquiry / Help",
      "problem_id": "",
      "escalation": "Normal",
      "description": "",
      "impact": "3 - Low",
      "state": "Closed",
      "sys_created_on": "2015-08-03 16:58:44",
      "reopen_count": "",
      "company": "ACME North America",
      "child_incidents": "",
      "contact_type": "Phone",
      "knowledge": "false",
      "caller_id.location.latitude": "39.691429",
      "closed_at": "2015-07-19 16:58:58",
      "close_code": "Closed/Resolved by Caller",
      "sys_created_by": "don.goodliffe",
      "assigned_to": "Don Goodliffe",
      "cmdb_ci": "",
      "assignment_group": "Service Desk",
      "number": "INC0000028",
      "caller_id.location.longitude": "-104.940104",
      "reassignment_count": "2",
      "priority": "5 - Planning"
    },
    "@version": "1"
  },
  "fields": {
    "result.resolved_at": [
      "2015-10-21T12:56:12.000Z"
    ],
    "result.sys_created_on": [
      "2015-08-03T16:58:44.000Z"
    ],
    "@timestamp": [
      "2018-10-10T07:51:00.847Z"
    ],
    "result.closed_at": [
      "2015-07-19T16:58:58.000Z"
    ]
  },
  "sort": [
    1539157860847
  ]
}

Thanks
Gauti

magnusbaeck · October 14, 2018, 2:50pm

You need to reference the fields like this: [result][caller_id.location.longitude].

Gauti · October 15, 2018, 10:51am

got it @magnusbaeck thank you very much.....this worked like a charm....

system · November 12, 2018, 10:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.