Logstash - mutate - add_field problem

Nadir · November 10, 2016, 1:25pm

Hi !

I do have the following event and I want to add another field and populate this with the content of event_data.IpAddress:

{
       "process_id" => 476,
       "level" => "Information",
        "event_data" => {
                        "IpAddress" => "172.16.87.87",
                        "ProcessId" => "0x0"
        },
        "opcode" => "Info",
        "type" => "wineventlog",
        "event_id" => 4624
}

In the logstash config I added this to achieve this, but it doesn't work:

...
filter {
    mutate {
        add_field => { "host" => "%{event_data.IpAddress} }
}
...

It does work if I take for example the event_id:

...
filter {
  mutate {
    add_field => { "host" => "%{event_id}}
  }
...

Any suggestion ?

Kind regards,
Thorsten

tileaga · November 10, 2016, 1:29pm

Try this:

add_field => [ "[host]", "%{event_data.IpAddress}" ]

magnusbaeck · November 10, 2016, 1:47pm

%{[event_data][IpAddress]}, not %{event_data.IpAddress}.

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references

Nadir · November 10, 2016, 1:49pm

This approach does create this additional field and content:

...
"host" => "%{event_data.IpAddress}",
...

Not what I need as I need the content of the field 'event_data.IpAddress' in the new field 'host'.

Nadir · November 10, 2016, 1:57pm

The solution from Magnus is working:

add_field => { "host" => "%{[event_data][IpAddress]}" }

Thank's a lot !
Thorsten

system · December 8, 2016, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.