Logstash mutate field

Hamza_El_Aouane · July 30, 2021, 7:03pm

Hi everyone,
I hope somebody can help me with this issue I am facing with logstash.

I am receiving some syslog, and trying to put in place some filtering and merging together 2 fields.

the simple structure that I want to implement is as follow:

I have 2 fields:

destinationUserName.      sourceUsername
user1
                                                  user2

what I want is to merge together those 2 fields in one, which I called userID

filter {
    mutate {
        add_field => {"userID" => "%{destinationUserName}%{sourceUserName}"}
  }
}

}

this worked just fine, until I realised there was a problem.

the problem is, if both fields have data, it does the merging correctly, like this

input:
destinationUserName.      sourceUsername
user1.                                      user2

output:

userId
user1 user2

but if one one of the fields is empty, I get this output

destinationUserName.      sourceUsername
user1

output:
userID
user1%{sourceUsername}

which is not something I want to see in my logs.

Please guys, can somebody help to understand how can I set my logstash to merge and show only the field that has data in it?

this is the output I am expecting

input
destinationUserName.      sourceUsername
user1
                                                  user2
output:
userID
user1
user2

thank you so much for your help

Badger · July 30, 2021, 7:56pm

You could do

if [destinationUserName] and [sourceUsername] {
    mutate { add_field => { "userID" => "%{destinationUserName}%{sourceUserName}" } }
else if [destinationUserName] {
    mutate { add_field => { "userID" => "%{destinationUserName}" } }
} else if [sourceUsername] {
    mutate { add_field => { "userID" => "%{sourceUserName}" } }
}

Alternatively

mutate { gsub => [ "userID", "%{[^}]+}", "" ] }

system · August 27, 2021, 7:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.