Multiple translate filters on the same event field in logstash

Elastic Stack Logstash
1

I am using the following translate filters in my logstash configuration file. I have two separate YAML files that serve as the lookup dictionaries. The logstash event field referenced is the same for both filters but their destination fields are different. When I execute this, the destination field from the first translate filter is populated correctly, but the destination filter of the second translate filter fails to populate. How do I ensure that the destination of the second field is also populated correctly using these multiple translate filters?

translate {
      dictionary_path => "C:/elk/lookupFile_1.yaml"
      field => "eventField_1"
      destination => "destField_1"
}
 
translate {
      dictionary_path => "C:/elk/lookupFile_2.yaml"
      field => "eventField_1"
      destination => "destField_2"
}

Two alternatives I think would be possible -

a) Instead of two YAML files, using just one YAML file where the value field is an array eg key1 : val1a ,val1b. Then using the dissect filter to maybe separate the destination field into separate fields.

b) Create a duplicate of eventField_1, say eventField_1Copy, and pass that to the field parameter of the second translate filter. I can then drop eventField_1Copy

2

The first translate will will clobber the old value of the source field and that is the reason it does not work for the 2nd translate.

If you just have two translations to run, create two duplicates of your field beforehand and use them in the translate "field" section.

You can use the fallback => "no match" also to indicate that the translation did not happen for your future logic.

3

@pastechecker - When you say "clobber the old value of the source field" I am assuming you mean the first translate filter would replace the value of the source field by the corresponding match of the dictionary value. But that wouldn't happen when I create an entirely new destination field in which to store the dictionary value right?

In any case, I was able to get my original configuration working. Turns out the second .yaml lookup file had a formatting issue that I overlooked. Thank you!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.