Mutate change field to another

Elastic Stack Logstash
1

Hi,
I am trying to change filed but I am not able to do it I think it is an issue of my if statement where I probably not put the right way to find it...

I would like to change "fieldId" : 16 to "fieldId' : "Application"
Integer -> String but I don't think it is an issue.
I tried :
filter {
if [series][legend][fieldId] == 16 {
mutate {
add_field => {"Application" => 16}
}
}
}

I also tried something like [series][legend][0][fieldId]

Here my input :

{"fieldGroups": [], "intervalData": {"endTime": "2016-07-09T22:17:00Z", "startTime": "2016-07-09T22:16:00Z", "intervals": ["2016-07-09T22:16:00Z"], "intervalDurationSeconds": 60}, "series": [{"legend": [{"fieldId": 16, "data": {"filterKey": "app 'HTTPS/TCP'", "status": "VALID", "string": "HTTPS (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 147515}]}, {"fieldId": 189, "data": [{"float": 67.252018, "status": "VALID"}]}, {"fieldId": 198, "data": [{"float": 40.254972, "status": "VALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'HTTP/TCP'", "status": "VALID", "string": "HTTP (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 88880}]}, {"fieldId": 189, "data": [{"float": 210.345894, "status": "VALID"}]}, {"fieldId": 198, "data": [{"float": 39.696435, "status": "VALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'Other/TCP'", "status": "VALID", "string": "Other (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 71030}]}, {"fieldId": 189, "data": [{"float": 0.0, "status": "INVALID"}]}, {"fieldId": 198, "data": [{"float": 0.0, "status": "INVALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'SSH/TCP'", "status": "VALID", "string": "SSH (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 31040}]}, {"fieldId": 189, "data": [{"float": 683.406898, "status": "VALID"}]}, {"fieldId": 198, "data": [{"float": 315.42763, "status": "VALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'DNS/UDP'", "status": "VALID", "string": "DNS (UDP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 24834}]}, {"fieldId": 189, "data": [{"float": 8.209729, "status": "VALID"}]}]}]}

Many thanks for your help :slight_smile:

2

The series field also contains an array, so try [series][0][legend][0][fieldId].

3

Many thanks in fact I forgot this one. I have tried but don't see any change. Is it because I have to do a loop for n in legends ? Do you have a example by chance ? The problem is that is is not an array for legend but multiple legend fields separate with commas
Many thanks again for your great help
EDIT : to give more information as I provided the input before the split in logstash ...
the input in kibana is split by series :

split.png657×1553 109 KB

I have tried :
filter {
split {
field => "series"
}
if [series][legend][0][fieldId] == 16 {
mutate {
add_field => {"Application" => 16}
}
}
}

But not seeing any result (as you can see on the previous screenshot above it keeps showin 16)

EDIT2 : I undestand now, it adding a filed ("6666" : "16") in this example, my idea what to replace the fielld this is the reason why I think it is not working... I have to look if it is possible to replace instead of adding a new field then..

EDIT3: I am almost done but I don't see any entries in Kibana ...
I did this configuraiton on logstash :
filter {
split {
field => "series"
}
if [series][legend][0][fieldId] == 16 {
mutate {
convert => {"[series][legend][0][fieldId]" => "string"}
replace => ["[series][legend][0][fieldId]","Application"]
}
}
}

I can see on the debug that it is working apparently fine :
Jul 10 21:47:07 openswan logstash[10159]: }
Jul 10 21:47:07 openswan logstash[10159]: {
Jul 10 21:47:07 openswan logstash[10159]: "series" => {
Jul 10 21:47:07 openswan logstash[10159]: "legend" => [
Jul 10 21:47:07 openswan logstash[10159]: [0] {
Jul 10 21:47:07 openswan logstash[10159]: "fieldId" => "Application",
Jul 10 21:47:07 openswan logstash[10159]: "data" => {
Jul 10 21:47:07 openswan logstash[10159]: "status" => "VALID",
Jul 10 21:47:07 openswan logstash[10159]: "string" => "NTP (UDP)",
Jul 10 21:47:07 openswan logstash[10159]: "filterKey" => "app 'NTP/UDP'"

But I don't see anymore data in Kibana...
Any idas welcomed :slight_smile:
Many thanks

4

A little up if anyone has any idea :slight_smile: