Logstash Syntax :: Putting the Value of One Field into Another?

redapplesonly · November 15, 2019, 7:41pm

Hey Logstash Maestros,

I have a syntax question. Suppose I have this as the input data going into Logstash:

FieldA    FieldB      FieldC
==============================
     6    "apples"   "bananas"
    11    "grapes"   "oranges"
    21     "pears"    "melons"

FieldA/B/C are all top-level fields in my data. Now, in the filter section of my LS config file, I want to do this:

  if [FieldA] > 10 {
    mutate {
      add_field => { "FaveStat" => [FieldB] }
    }
  else {
    mutate {
      add_field => { "FaveStat" => [FieldC] }
    }
  }

I want this:

FieldA    FieldB      FieldC       FaveStat
===========================================
     6    "apples"   "bananas"     "apples"
    11    "grapes"   "oranges"    "oranges"
    21     "pears"    "melons"     "melons"

Instead, the above syntax is giving me this:

FieldA    FieldB      FieldC       FaveStat
===========================================
     6    "apples"   "bananas"     "FieldB"
    11    "grapes"   "oranges"     "FieldC"
    21     "pears"    "melons"     "FieldC"

This suggests that to retrieve the value of a field, you should use brackets. ( [FieldA] ) Am I doing something wrong? Thanks!

Badger · November 15, 2019, 9:05pm

Use a sprintf reference to get the value of a field

add_field => { "FaveStat" => "%{[FieldB]}" }

redapplesonly · November 16, 2019, 4:32am

Yes! Brillant! Thank you, that worked perfectly! Badger, you've saved me again. Much appreciated...

system · December 14, 2019, 4:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.