Mutate beats field

kopacko · February 13, 2017, 11:06pm

I cannot seem to get this to work:

mutate { add_field => { "hostname" => "%{beat.hostname}" } }

I used this template of code quite a bit and it is working just fine for other items.

kopacko · February 13, 2017, 11:09pm

I end up with this, visible from Kibana:

t hostname %{BEAT.HOSTNAME}

magnusbaeck · February 14, 2017, 6:45am

You're using the wrong notation for nested fields.

kopacko · February 14, 2017, 3:37pm

Ohhh, so:

%{[beat].[hostname]} ?

magnusbaeck · February 14, 2017, 3:41pm

No, %{[beat][hostname]}.

kopacko · February 14, 2017, 3:44pm

Ah....muchas gracias!

kopacko · February 14, 2017, 3:45pm

In terms of things like packetbeat and winlogbeat, is there an easy way to change the field names?

I want get some of them in line with other fields names created from my groks.

kopacko · February 14, 2017, 4:22pm

I can see in new logs coming in, that worked. Thank you very much sir.

magnusbaeck · February 14, 2017, 5:45pm

In terms of things like packetbeat and winlogbeat, is there an easy way to change the field names?

I doubt you can change the field names being sent from those tools but you can certainly use Logstash to rename them.

kopacko · February 14, 2017, 5:55pm

Yea true. Didn't want to add any undue cycles unless I needed to.

system · March 14, 2017, 5:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.