Logstash translate and replace filter not working

marco2005 · June 18, 2020, 7:40am

I have 5 log files using the below Golang log pattern:

2020-06-17 11:50:04 CEST | CORE | INFO | (pkg/collector/corechecks/net/ntp.go:162 in Run) | Failed to get clock offset from any ntp host

And below is my filter:

filter {
        dissect {
            mapping => {
                "message" => "%{timestamp} %{+timestamp} %{tz}|%{module}|%{log_level}|%{package}|%{msg}"
            }
            remove_tag => [ "_dissectfailure" ]
        }
        translate {
            field       => "[tz]"
            destination => "[tz_num]"
            dictionary  => {
                "CET"  => "+0100"
                "CEST" => "+0200"
            }
        }
        mutate {
            strip => ["timestamp","tz","module","log_level","package","msg"]
            replace => [ "timestamp", "%{timestamp} %{tz_num}" ]
        }
        date {
            match => [ "timestamp" , "YYYY-MM-DD HH:mm:ss Z" ]
        }
        mutate {
            remove_field => [ "tz", "tz_num" ]
        }
}

The problem is with the mutate(replace) which is not able to append the tz_num. So, in the output, I always see like this:

"timestamp" => "2020-06-17 11:50:04 %{tz_num}",

Can you please advise what could be the problem here?

ptamba · June 18, 2020, 12:18pm

replace is applied before strip. so your timestamp will be replaced first. you can use separate mutate blocks to control execution according to this

system · July 16, 2020, 12:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.