Logstash grok for change field value

lukatoni · February 5, 2019, 7:38am

Hi,
I just wanna change my field value like this:

I have a log json with field:
"source_host": "dev-host-test.com.pl",

and i need to remove only .com.pl leave the old field and create new field with value:
"new_field":"dev-host-test"

Is there a simple way to do it with grok or other logstash options ?

Christian_Dahlqvist · February 5, 2019, 8:13am

Try something like this:

dissect {
  mapping => {
    "source_host" => "%{new_field}.%{}"
  }
}

lukatoni · February 5, 2019, 8:35am

Yeah this solution work, but i have mixing source_host values like:

dev-host-test
dev-host-test2.com.pl
etc

And i think this solution work only for message that have .com.pl , if message has correct value: only dev-host-test and i dont need to change anything i got an error:

[2019-02-05T09:29:14,315][WARN ][org.logstash.dissect.Dissector] Dissector mapping, pattern not found {"field"=>"source_host", "pattern"=>"%{index_field}.%{}",

Christian_Dahlqvist · February 5, 2019, 8:37am

Then you might need a conditional as well to check if the field contains a dot.

lukatoni · February 5, 2019, 9:42am

Simple if ? like:

if ("*." in [source_host]) {
dissect {
  mapping => {
    "source_host" => "%{source_host}.%{}"
  } 
 }
}

Christian_Dahlqvist · February 5, 2019, 9:54am

Maybe something like this:

  if [source_host] =~ /\./ {
    dissect {
      mapping => {
        "source_host" => "%{new_field}.%{}"
      }
    }
  } else {
    mutate {
      copy => { "source_host" => "new_field" }
    }
  }

lukatoni · February 5, 2019, 12:21pm

Works perfectly <3 ! Thanks so much!

system · March 5, 2019, 12:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.