Logstash add_field not working

Elastic Stack Logstash
1

I add a field named request using following filter, however it doesn't use url_path and 'query_string' values, I tried to change logstash config as

     "request" => "%{[uri_path]}%{[query_string]}"

why the add_field doesn't work as expected?

Logstash output

{
                   "request" => "%{uri_path}%{query_string}",
                      "auth" => "-",
                "body_bytes" => 2955,
             "upstream_addr" => "\"127.0.0.1:9002\"",
                    "source" => "/Data/logs/app.example.com.access.log",
                      "type" => "access_log",
           "upstream_status" => 200,
                  "uri_path" => "/api/trades/gettradeslist",
              "request_time" => 0.109,
                  "@version" => "1",
                      "beat" => {
            "name" => "iZ94muvix60Z",
        "hostname" => "iZ94muvix60Z",
         "version" => "5.6.3"
    },
                      "host" => "iZ94muvix60Z",
                 "timestamp" => "2017-10-19T14:41:28+08:00",
                    "offset" => 1250584231,
                   "tsyuuid" => "bbc15fdc-7a5f-44e7-b3e9-ef3cdde7bccb",
                "input_type" => "log",
                      "verb" => "GET",
                "gzip_ratio" => 4.43,
                   "message" => "- - - [2017-10-19T14:41:28+08:00] bbc15fdc-7a5f-44e7-b3e9-ef3cdde7bccb \"GET /api/trades/gettradeslist?AppToken=U2FsdGVkX1%2FolXAOBAtI6GD4XVlOGU%2FtCUWS%2Bg7QnMqFPj8jMPVqJYj%2Bd4gd1Z9eltC%2BOTkRGYFGMcO%2F%2FRGMBP9rsAdsrMRd8qmMGLtOqPI%3D&mk=866258034114402&versionCode=217&mt=Android&channel=Channel_Default&pageSize=10&system=&isbindemail=2&verifyCode=83f8bde61d613462b2f4204c8ef62ff6a52526ce&isbindmobile=2&is_video=&client=&gameid=5551&minPrice=&sort_type=1&pageNum=0&deal_type=1&is_pic=&s_area=&maxPrice=&isbindcertificate=2 HTTP/1.1\" 200 2955 \"-\" \"App/android_2.1.7\" \"4.43\" 0.109 3233 861 \"127.0.0.1:9002\" 200 0.109",
                "bytes_sent" => 3233,
                      "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_geoip_lookup_failure"
    ],
                  "referrer" => "\"-\"",
                "@timestamp" => 2017-10-19T07:26:15.463Z,
            "request_length" => 861,
               "httpversion" => "1.1",
    "upstream_response_time" => 0.109,
                    "fields" => {
        "app_host" => "app.example.com"
    },
              "query_string" => "?AppToken=U2FsdGVkX1%2FolXAOBAtI6GD4XVlOGU%2FtCUWS%2Bg7QnMqFPj8jMPVqJYj%2Bd4gd1Z9eltC%2BOTkRGYFGMcO%2F%2FRGMBP9rsAdsrMRd8qmMGLtOqPI%3D&mk=866258034114402&versionCode=217&mt=Android&channel=Channel_Default&pageSize=10&system=&isbindemail=2&verifyCode=83f8bde61d613462b2f4204c8ef62ff6a52526ce&isbindmobile=2&is_video=&client=&gameid=5551&minPrice=&sort_type=1&pageNum=0&deal_type=1&is_pic=&s_area=&maxPrice=&isbindcertificate=2",
                    "status" => 200
}

Logstash config

 if [source] =~ "access" {
        mutate { replace => { "type" => "access_log" } }
        mutate {
                add_field => {
                        "request" => "%{uri_path}%{query_string}"
                 }
        }
        grok {
            patterns_dir => ["../patterns"]
            match => { "message" => "%{NGINXACCESS}"}
        }
     }
2

Filters are run in the order listed in the config file. At the time your mutate filters are run the grok filter hasn't run so the fields don't exist.

3

@magnusbaeck, you are right , thanks a lot

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.