Logstash Replacing A Value

motts · November 22, 2017, 6:57pm

I am working on filtering ftp logs that are in xml format. Everything works fine, but this one column that's labeled "host". If that column has data in it, that data will be put into elasticsearch. However, if that column has a blank spot, the source IP of the host that the xml is coming from goes into that spot instead of it being left blank

I have tried to use

replace => {"host: 1.1.1.1" => "host: N/A"}

but logs do not ship at all. When I check the logstash logs, there is an error in there that says Filed names cannot use periods.

Do you have a way you recommend I replace that value with N/A or even a blank space, if the value is equal to the shipping host IP?

Badger · November 22, 2017, 7:13pm

Logstash events have a field called host, which is set to the name of the machine it runs on. You are overwriting that sometimes. If you do not overwrite it then it keeps the value it started with. You could try using a different field name for the data you are trying to index. Or if you really insist

  if [host] == "1.1.1.1" {
    mutate { remove_field => ["host"] }
    mutate { add_field => { "host" => "NA" } }
  }

But I would definitely suggest using a different field if you can.

system · December 20, 2017, 7:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Host variable replaced, but not configured to be Logstash	4	1182	July 6, 2017
Trying to replace ‘host’ and port field Logstash	3	2276	January 8, 2020
Filter mutate replace field value with value of another field Logstash	3	18054	July 6, 2017
Elasearch filed take the empty values Elasticsearch	5	951	July 5, 2017
Solved: removing domain name from hostname (host.name) with Logstash mutate split and replace filter Logstash	1	1693	September 16, 2020

Logstash Replacing A Value

Related topics