Logstash Lookup Fields

John_snow · November 18, 2021, 12:43am

While running /usr/share/logstash/bin/logstash -f .conf file i can see the tag in command line

Badger · November 18, 2021, 12:46am

The common add_tag certainly does a sprintf of the new value, so if you end up with "%{[data][tag]}" as a tag that is telling you that the [data] object does not contains a [tag] field].

John_snow · November 18, 2021, 12:49am

But it contains the tag field in it.

my_file.json

{
        "123456": {
                                "tag": "my_tag"
                        },

my filter looks like

translate {
                    source => "[output_fields][acc_id]"
                    target => "[data]"
                    fallback => '{"acc_id":"not_found"}'
                    dictionary_path => "/home/lookup.json"
                }
if [data] == '{"acc_id":"not_found"}' {
                                                        drop {}
        }
else {
                mutate { add_tag => ["%{[data][tag]}"] }
                }

Badger · November 18, 2021, 1:03am

That does not match your fallback option, so it will never drop anything. Any event with the fallback string will also have a "%{[data][tag]}" tag.

John_snow · November 18, 2021, 1:09am

How i can add tag then?

i wanted to tag then on basis of tag i wanted to send the logs to pipeline

output {
        if "my_tag" in [tags] {
                                pipeline { send_to => ["pipe1"] }
                        }
      if "my_tag2" in [tags] {
                                pipeline { send_to => ["pipe2"] }
                        }
        else {
                pipeline { send_to => ["pipen"] }
                }
}

John_snow · November 18, 2021, 1:33am

That's how i'm seeing in command line

{
             "data" => {
        "tag" => "my_tag"
    },
        "lookup_id" => "1234",
       "@timestamp" => 2021-11-18T01:32:15.677Z,
         "sequence" => 0,
             "tags" => [
        [0] "my_tag"
    ],
    "output_fields" => {
        "tenant_id" => "1234567890"
    },
         "@version" => "1"
}

Badger · November 18, 2021, 1:43am

OK, so that's working. Did you read my previous response explaining why some events will have a "%{[data][tag]}" tag?

John_snow · November 18, 2021, 1:47am

Yup and i made changes accordingly.

Badger · November 18, 2021, 1:49am

I do not understand what needs fixing in that. It is, as far as I can tell, exactly what you wanted.

John_snow · November 18, 2021, 1:56am

sorry for misunderstandings.
i was asking how i can fix that?

"tags":["%{[data][tag]}"]

Badger · November 18, 2021, 2:53am

If you are still getting that value in [tags], what does the rest of the event look like in the rubydebug output?

John_snow · November 18, 2021, 3:34am

Interesting..
When i use input generator then i can see the tags correctly. But when i use any other input like file then i cannot see the tag in this way "tags":["%{[data][tag]}"]

John_snow · November 18, 2021, 1:42pm

This is the output

{
    "@timestamp" => 2021-11-18T05:21:34.609Z,
       "message" => "{\"name\": \"test\", \"output_fields\": {\"acc_id\": \"123456\"}, \"lookup_id\": \"hj\"}",
          "path" => "/home/test.log"
}

Badger · November 18, 2021, 3:21pm

Well now I am completely confused because that has no [data] field and no [tags] at all.

John_snow · November 18, 2021, 5:15pm

I was able to fix that. the issue was stringf was not working in translate filter.

John_snow · November 18, 2021, 6:30pm

Another issue i'm getting i'm seeing duplicate data after applying Translate filter.

Topic		Replies	Views
External lookups in a logstash pipeline Logstash	7	1002	June 22, 2017
From logstash how to lookup on a data in elastic index? Logstash	10	2322	August 18, 2021
Logstash Translate Dictionary not working Logstash	16	1281	May 21, 2020
External flat file for host lookup to add tags on network syslogs Logstash	5	1955	November 30, 2015
Translate Issue Logstash	1	797	August 15, 2016

Logstash Lookup Fields

Related topics