Logstash Netflow translate and convert a field

Hi there,
I'm trying to add extra information to my netflow field, more specifically netflow.direction

Currently it uses number format but I would like it to be a string as I'm adding a string

I've ended up doing this and its working if I output to file

if [type] == "netflow" {
translate {
field => "[netflow][direction]"
destination => "[netflow][direction]"
override => "true"
dictionary => [ "0", "0-Ingress", "1", "1-Egress"]
}

However, in elasticsearch netflow.direction is a number so I get this error in logstash

[2017-06-21T09:39:07,764][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2017.06.20", :_type=>"netflow", :_routing=>nil}, 2017-06-20T23:38:39.000Z 192.168.199.1 %{message}], :response=>{"index"=>{"_index"=>"logstash-2017.06.20", "_type"=>"netflow", "_id"=>"AVzH37xKAPHi6zTnNzhA", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [netflow.direction]", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"For input string: \"1-Egress\""}}}}}

What's the best way to do this, I've tried using convert but not having much luck
mutate {
convert => { "[netflow][direction]" => "string"}
}

The issue is on Elasticsearch side. The mapping used there is already considering the field direction as a number. I recommend that you keep it that way and create another field (i.e. direction_description) for the Ingress/Egress value

Thanks for your reply. Could you give me an example, I've just started using the filters

Use the same translate filter, but change destination to something like destination => "[netflow][direction_description]". Also change the dictionary so it translates to Ingress/Egress instead of 0-Ingress/1-Egress.

Thanks Thiago, that worked like a charm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.