Hello All,
I am trying to make changes to the format of a document and there are conditionals that do not take effect.
Original document:
{
"@timestamp": "2019-09-02T13:10:39.931Z",
"tags": [
"beats_input_codec_plain_applied"
],
"host": {
"name": "ip-xx-xx-xx-xx"
},
"log": {
"file": {
"path": "/opt/xxxxxxxx/logs/xxxxxx.log"
},
"offset": 31891946
},
"message": "some logline",
"@version": "1",
"input": {
"type": "log"
},
"ecs": {
"version": "1.0.1"
},
"agent": {
"hostname": "ip-xx-xx-xx-xx",
"id": "c61120bc-f353-4159-95a3-59145bf7d7fd",
"type": "filebeat",
"version": "7.3.1",
"ephemeral_id": "d51a5206-3bfa-4d8c-be2d-0c18f13adad4"
}
}
filter:
filter{
if 'filebeat' in [tags] or 'beats_input_codec_plain_applied' in [tags] {
if [name] in [host] {
mutate {
add_field => { "host_name" => "%{[host][name]}" }
}
mutate {
remove_field => [ "host" ]
}
mutate {
rename => { "host_name" => "host" }
}
}
if [file] in [log] {
mutate {
add_field => { "source_file" => "%{[log][file][path]}" }
}
mutate {
remove_field => [ "log" ]
}
}
if [type] in [input] {
mutate {
add_field => { "type" => "filebeat" }
}
mutate {
remove_field => [ "input" ]
}
}
mutate {
remove_field => [ "ecs", "agent" ]
}
}
}
resulting document:
{
"message": "some logline",
"@timestamp": "2019-09-02T13:10:39.931Z",
"input": {
"type": "log"
},
"host": {
"name": "ip-xx-xx-xx-xx"
},
"log": {
"file": {
"path": "/opt/xxxxxxxx/logs/xxxxxx.log"
},
"offset": 31891946
},
"tags": [
"filebeat",
"beats_input_codec_plain_applied"
],
"@version": "1"
}
Apart from the last mutate that drops "ecs" and "agent" none of the other conditions appear to be evaluated.
What am I doing wrong?