Logstash add_field not working


(Vidy Videni) #1

I add a field named request using following filter, however it doesn't use url_path and 'query_string' values, I tried to change logstash config as

     "request" => "%{[uri_path]}%{[query_string]}"

why the add_field doesn't work as expected?

Logstash output

{
                   "request" => "%{uri_path}%{query_string}",
                      "auth" => "-",
                "body_bytes" => 2955,
             "upstream_addr" => "\"127.0.0.1:9002\"",
                    "source" => "/Data/logs/app.example.com.access.log",
                      "type" => "access_log",
           "upstream_status" => 200,
                  "uri_path" => "/api/trades/gettradeslist",
              "request_time" => 0.109,
                  "@version" => "1",
                      "beat" => {
            "name" => "iZ94muvix60Z",
        "hostname" => "iZ94muvix60Z",
         "version" => "5.6.3"
    },
                      "host" => "iZ94muvix60Z",
                 "timestamp" => "2017-10-19T14:41:28+08:00",
                    "offset" => 1250584231,
                   "tsyuuid" => "bbc15fdc-7a5f-44e7-b3e9-ef3cdde7bccb",
                "input_type" => "log",
                      "verb" => "GET",
                "gzip_ratio" => 4.43,
                   "message" => "- - - [2017-10-19T14:41:28+08:00] bbc15fdc-7a5f-44e7-b3e9-ef3cdde7bccb \"GET /api/trades/gettradeslist?AppToken=U2FsdGVkX1%2FolXAOBAtI6GD4XVlOGU%2FtCUWS%2Bg7QnMqFPj8jMPVqJYj%2Bd4gd1Z9eltC%2BOTkRGYFGMcO%2F%2FRGMBP9rsAdsrMRd8qmMGLtOqPI%3D&mk=866258034114402&versionCode=217&mt=Android&channel=Channel_Default&pageSize=10&system=&isbindemail=2&verifyCode=83f8bde61d613462b2f4204c8ef62ff6a52526ce&isbindmobile=2&is_video=&client=&gameid=5551&minPrice=&sort_type=1&pageNum=0&deal_type=1&is_pic=&s_area=&maxPrice=&isbindcertificate=2 HTTP/1.1\" 200 2955 \"-\" \"App/android_2.1.7\" \"4.43\" 0.109 3233 861 \"127.0.0.1:9002\" 200 0.109",
                "bytes_sent" => 3233,
                      "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_geoip_lookup_failure"
    ],
                  "referrer" => "\"-\"",
                "@timestamp" => 2017-10-19T07:26:15.463Z,
            "request_length" => 861,
               "httpversion" => "1.1",
    "upstream_response_time" => 0.109,
                    "fields" => {
        "app_host" => "app.example.com"
    },
              "query_string" => "?AppToken=U2FsdGVkX1%2FolXAOBAtI6GD4XVlOGU%2FtCUWS%2Bg7QnMqFPj8jMPVqJYj%2Bd4gd1Z9eltC%2BOTkRGYFGMcO%2F%2FRGMBP9rsAdsrMRd8qmMGLtOqPI%3D&mk=866258034114402&versionCode=217&mt=Android&channel=Channel_Default&pageSize=10&system=&isbindemail=2&verifyCode=83f8bde61d613462b2f4204c8ef62ff6a52526ce&isbindmobile=2&is_video=&client=&gameid=5551&minPrice=&sort_type=1&pageNum=0&deal_type=1&is_pic=&s_area=&maxPrice=&isbindcertificate=2",
                    "status" => 200
}

Logstash config

 if [source] =~ "access" {
        mutate { replace => { "type" => "access_log" } }
        mutate {
                add_field => {
                        "request" => "%{uri_path}%{query_string}"
                 }
        }
        grok {
            patterns_dir => ["../patterns"]
            match => { "message" => "%{NGINXACCESS}"}
        }
     }


(Magnus B├Ąck) #2

Filters are run in the order listed in the config file. At the time your mutate filters are run the grok filter hasn't run so the fields don't exist.


(Vidy Videni) #3

@magnusbaeck, you are right , thanks a lot


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.