Hey All,
Part of our logs we recieve are in json format.
I filter out these messages with following filter:
json {
source => "Request"
target => "Request_parsed"
}
This works perfectly and we are getting a lot of Request_parsed.*** fields.
Now I want to merge part of these fields to a new field called Comment so i can use 1 field in kibana to show all the requests.
is this possible in logstash?
filter {
mutate {
add_field => {
"merged_field" => "%{[Request_parsed][subfield1]} %{[Request_parsed][subfield2]}"
}
}
}
ok got this:
mutate { add_field => { "Comment" => "%{[Request_parsed][type_label]} %{[Request_parsed][canonical_type_label]} %{[Request_parsed][title]}" %{[Request_parsed][value_label]}" }
The problem now is that not every field get's data and i get this in kibana:
June 10th 2016, 14:06:58.308%{[Request_parsed][type_label]} Disease %{[Request_parsed][title]} %{[Request_parsed][value_label]}
June 10th 2016, 14:06:51.362%{[Request_parsed][type_label]} %{[Request_parsed][canonical_type_label]} Combined immunodeficiency due to OX40 deficiency %{[Request_parsed][value_label]}
Wrap the mutate filter in a conditional.
if [Request_parsed][type_label] {
mutate {
add_field => {
"Comment" => "%{[Request_parsed][type_label]}"
}
}
}
thanks, works like a charm
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.