Logstash add_field

piyush · May 13, 2016, 9:43pm

Hi Team,
I am trying to add a field but not getting expected result please assist, surely i am overlooking something. It's logstash-2.3.2-1

PFB Details:

grok{
match => ["message", "%{WORD:appname}"]
}

mutate {
add_field => { "ApplicationName" => "%{appname}" }
}

========

appname=Testing123

I am expecting "ApplicationName" = Testing123 but i am getting:
"ApplicationName" => "%{appname}"

Thanks & Regards,

fbaligand · May 14, 2016, 8:27am

I just tried with logstash 2.3.2 and your configuration, and it works just fine.

Are you really sure appname field is filled ? Are you sure that appcase field has this case (not Appcase for example)

I invite you to use this output to debug your problem :

output {
  stdout { codec => rubydebug }
}

magnusbaeck · May 14, 2016, 8:49am

Perhaps this is just a simplified example, but why not capture the string directly into the ApplicationName field instead of using appname and copying that string to ApplicationName?

piyush · May 14, 2016, 9:07am

Appname wasn't blank and i was looking at rubydebug only. And Appname, i am trying to retrieve from given URL, so it was like that.

I tested this scenario just now and i got my result, here is update:

tested with:
mutate {
add_field => { "testrun" => "%{testrun}" }
add_field => { "critical" => "%{critical}" }
}

Below is console output of rubydebug: [ This created my confusion, i don't know why i am getting this output where i was expecting "testrun" = 0]

"testrun" => "%{testrun}",
"critical" => "%{critical}",
where as elasticsearch is showing testrun as a field. [my expectation] and 0 as value

magnusbaeck · May 14, 2016, 9:10am

add_field => { "testrun" => "%{testrun}" }

I don't get it. What is this supposed to do? You're assigning a field to itself which doesn't strike me as a very useful operation. What does an event look like without the mutate filter above?

piyush · May 14, 2016, 9:15am

source of testrun:

grok {
match => {"message" => "Tests run: %{INT:testrun}"}
}

i am trying to create a field "testrun" where i will be inserting value of tests executed during a build.

magnusbaeck · May 14, 2016, 1:53pm

I repeat: What does an event look like without the mutate filter above?

In other words, what does your Logstash's input look like?

Topic		Replies	Views
Problem when adding fields to logstash Logstash	6	334	January 2, 2021
Logstash extract first 3 chars of a field into another field Logstash	3	664	July 6, 2017
Logstash Syntax :: Add a new field... which is the product of other fields? Logstash	3	1569	December 17, 2019
Add a field Logstash	3	319	July 6, 2017
Logstash mutate add field not showing the added field Logstash	4	1088	August 19, 2021

Logstash add_field

PFB Details:

Related topics