Logstash 2.2.2 mutuate

genesis · March 10, 2016, 5:01pm

I am running logstash 2.2.2 and I am trying to rename these 2 fields from my data and it does not take effect on the index. Please help

Rename "Fashion&Beauty" to Fashion_and_Beauty
"Business/Finance" to Business_and_Finance

input {
file {
path => "/var/data/logstash/myfile.log"
start_position => beginning
#sincedb_path => "/var/data/logstash"

}

filter {
mutate {
remove_field => [ "@version" ]
rename => [ "Fashion&Beauty", "Fashion_and_Beauty" ]
rename => [ "Business/Finance", "Business_and_Finance" ]
}
}

output {
elasticsearch {
hosts => "http://localhost:9200"
manage_template => false
index => "myindex"
}
}

magnusbaeck · March 10, 2016, 6:03pm

Works fine for me.

$ cat test.config
input { stdin { codec => json } }
output { stdout { codec => rubydebug } }
filter {
  mutate {
    remove_field => [ "@version" ]
    rename => [ "Fashion&Beauty", "Fashion_and_Beauty" ]
    rename => [ "Business/Finance", "Business_and_Finance" ]
  }
}
$ echo '{"Fashion&Beauty": "foo", "Business/Finance": "bar"}' | /opt/logstash/bin/logstash -f test.config
Settings: Default pipeline workers: 2
Logstash startup completed
{
              "@timestamp" => "2016-03-10T18:01:42.493Z",
                    "host" => "hallonet",
      "Fashion_and_Beauty" => "foo",
    "Business_and_Finance" => "bar"
}
Logstash shutdown completed

genesis · March 10, 2016, 9:06pm

Thank you

genesis · March 10, 2016, 9:37pm

I forgot to mention that the data is a nested json file, that's why it is working for you and not for us.
Here is a sample of the data:
{
"verticals": {

"Business/Finance": xxxxx,
"Fashion&Beauty": xxxxxx,
"Automotive":xxxxxxx

},
"@timestamp": "2016-03-10T18:21:46.335+0000",
"url": "wssomeurl/html"
}
Here is the configuration in prod logstash
input {
kafka {
zk_connect => "zookeeper.prod.01.2181,zookeeper.prod.02.2181,zookeeper.prod.03.2181"
decorate_events => true
group_id => "ver-page-prod"
topic_id => "page-prod"
consumer_threads => 2
codec => "json"
}
}

filter {
if [kafka][consumer_group] == "ver-page-prod" {
mutate {
remove_field => [ "Keywords", "[kafka][msg_size]", "[kafka][topic]", "[kafka][key]", "[kafka][partition]" ]
rename => [ "Business/Finance", "Business_and_Finance" ]
rename => [ "Fashion&Beauty", "Fashion_and_Beauty" ]
}
}
}

output {
if [kafka][consumer_group] == "ver-page-prod" {
elasticsearch {
hosts => "cluster01"
index => "myindex"
}
elasticsearch {
hosts => "cluster02"
index => "myindex"
}
}
}

genesis · March 10, 2016, 11:02pm

We got it to work...thanks again....

Topic		Replies	Views
Mutate rename filter not working on nested fields Logstash	3	2392	December 6, 2019
Mutate rename filter not working on nested fields Logstash	3	617	December 15, 2020
Renaming multiple fields that are nested Logstash	4	1020	April 8, 2022
Rename json nested fields using mutate Logstash	5	448	September 1, 2023
Renaming fields wild card logstash Logstash	3	2215	August 6, 2019

Logstash 2.2.2 mutuate

Related topics