Logstash mutate replace field


(Jones Thomas) #1

I'm trying to replace the field "message" with value .
My example input message is:
[{
"logID": 1,
"organizationID": 1,
"userID": 1001,
"appID": 123,
"moduleID": 1,
"screenID": 213,
"timeStamp": "2017-03-15 10:06:26",
"action": "Login",
"purpose": "log",
"role": "Doctor",
"location": "Hospital",
"ipaddress": "192.168.1.3",
"networkType": "desktop",
"method": "getAll",
"category": "normal",
"description": "successfully logged in"
},
{
"logID": 2,
"organizationID": 1,
"userID": 201,
"appID": 201,
"moduleID": 2,
"screenID": 224,
"timeStamp": "2017-03-15 10:36:06",
"action": "Login",
"purpose": "log",
"role": "Nurse",
"location": "Clinic",
"ipaddress": "192.168.2.6",
"networkType": "tablet",
"method": "addVitals",
"category": "minor error",
"description": "error logged"
}]


(Jones Thomas) #2

my logstash config:

02-beats-input.conf

input {

stdin {
codec => multiline{
pattern => "^%{TIMESTAMP_ISO8601} "
negate => "true"
what => "next"
}
}

beats{
codec => "json"
port => 5044
ssl => false
}
}

12-json-filter.conf

filter {
json{
source => "message"
}
if [host] == "Ellora-PC1"{
mutate {
replace => ["host" , "JONES-PC"]
}
}

if [message] == ""appID": 123"{
mutate{
replace => ["message" , ""appID": "Android""]
}
}
}

30-elasticsearch-output.conf
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}


(Jones Thomas) #3

I want to change the appID:123 to appID: Android..
Someone guide me with it,
Thank you.


(Mark Walkom) #4

I don't think that syntax is correct, at least not according to https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-replace


(Jones Thomas) #5

{
"_index": "filebeat-2017.04.17",
"_type": "log",
"_id": "AVt6pHH9rUTxMONdNdfb",
"_score": null,
"_source": {
"message": "\t"appID": 123,",
"tags": [
"_jsonparsefailure",
"beats_input_codec_json_applied"
],
"@version": "1",
"@timestamp": "2017-04-17T06:40:44.023Z",
"fields": {
"tags": [
"json"
]
},
"beat": {
"name": "Ellora-PC1",
"hostname": "Ellora-PC1",
"version": "5.2.2"
},
"source": "C:\Users\Ellora\Downloads\log_events\1log.txt",
"offset": 75,
"type": "log",
"input_type": "log",
"host": "JONES-PC",
"MSG": "This is my first MEssage: 1223"
},
"fields": {
"@timestamp": [
1492411244023
]
},
"sort": [
1492411244023
]
}


(Jones Thomas) #6

"message": "\t"appID": 123,",.. can anyone say me what is the message format here?

and i want to change appID: 123 to appID: Android in the message field


(Jones Thomas) #7

Anyone?


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.