Discuss the Elastic Stack

Merge 2 fields from seperate events into one field

Elastic Stack Logstash

swiftingdarkness July 15, 2019, 4:58pm 1

I am trying to merge the field "username" from one source (xx.xxx.xx.xx) with the field "user" from a different source (yy.yyy.yyy.yyy). I want to merge them into a new field called "User".

Example Logs:

[USERNAME= johndoe] [SOURCE=xx.xxx.xx.1]

user="janedoe" source=yy.yyy.yyy.111

I have tried adding a new field and deleting the "username" and "user" fields, but no luck. All it returns is

"User" => "%{USERNAME} janedoe"
or
"User" => "%{USERNAME} %{user}"

Conf File:

Any help is highly appreciated!!!

Badger July 15, 2019, 5:09pm 2

You appear to be applying the kv filters the wrong way around.

Please do not post pictures of text. Just post the text with appropriate markdown.

system (system) Closed August 12, 2019, 5:09pm 3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Logstash mutate field Logstash	2	248	August 27, 2021
How to join fields from multi events into single event? Logstash	5	4526	December 8, 2017
Combine fields inside aggregation filter Logstash	5	3213	April 6, 2018
Parsing an existing field further Logstash	6	389	September 10, 2021
Logstash aggregate/mutate Logstash	5	1147	July 18, 2020

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.