Mutate change field to another

belette · July 9, 2016, 10:25pm

Hi,
I am trying to change filed but I am not able to do it I think it is an issue of my if statement where I probably not put the right way to find it...

I would like to change "fieldId" : 16 to "fieldId' : "Application"
Integer -> String but I don't think it is an issue.
I tried :
filter {
if [series][legend][fieldId] == 16 {
mutate {
add_field => {"Application" => 16}
}
}
}

I also tried something like [series][legend][0][fieldId]

Here my input :

{"fieldGroups": [], "intervalData": {"endTime": "2016-07-09T22:17:00Z", "startTime": "2016-07-09T22:16:00Z", "intervals": ["2016-07-09T22:16:00Z"], "intervalDurationSeconds": 60}, "series": [{"legend": [{"fieldId": 16, "data": {"filterKey": "app 'HTTPS/TCP'", "status": "VALID", "string": "HTTPS (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 147515}]}, {"fieldId": 189, "data": [{"float": 67.252018, "status": "VALID"}]}, {"fieldId": 198, "data": [{"float": 40.254972, "status": "VALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'HTTP/TCP'", "status": "VALID", "string": "HTTP (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 88880}]}, {"fieldId": 189, "data": [{"float": 210.345894, "status": "VALID"}]}, {"fieldId": 198, "data": [{"float": 39.696435, "status": "VALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'Other/TCP'", "status": "VALID", "string": "Other (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 71030}]}, {"fieldId": 189, "data": [{"float": 0.0, "status": "INVALID"}]}, {"fieldId": 198, "data": [{"float": 0.0, "status": "INVALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'SSH/TCP'", "status": "VALID", "string": "SSH (TCP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 31040}]}, {"fieldId": 189, "data": [{"float": 683.406898, "status": "VALID"}]}, {"fieldId": 198, "data": [{"float": 315.42763, "status": "VALID"}]}]}, {"legend": [{"fieldId": 16, "data": {"filterKey": "app 'DNS/UDP'", "status": "VALID", "string": "DNS (UDP)"}}], "fieldData": [{"fieldId": 53, "data": [{"status": "VALID", "unsigned": 24834}]}, {"fieldId": 189, "data": [{"float": 8.209729, "status": "VALID"}]}]}]}

Many thanks for your help

magnusbaeck · July 10, 2016, 8:33am

The series field also contains an array, so try [series][0][legend][0][fieldId].

belette · July 10, 2016, 10:04am

Many thanks in fact I forgot this one. I have tried but don't see any change. Is it because I have to do a loop for n in legends ? Do you have a example by chance ? The problem is that is is not an array for legend but multiple legend fields separate with commas
Many thanks again for your great help
EDIT : to give more information as I provided the input before the split in logstash ...
the input in kibana is split by series :

I have tried :
filter {
split {
field => "series"
}
if [series][legend][0][fieldId] == 16 {
mutate {
add_field => {"Application" => 16}
}
}
}

But not seeing any result (as you can see on the previous screenshot above it keeps showin 16)

EDIT2 : I undestand now, it adding a filed ("6666" : "16") in this example, my idea what to replace the fielld this is the reason why I think it is not working... I have to look if it is possible to replace instead of adding a new field then..

EDIT3: I am almost done but I don't see any entries in Kibana ...
I did this configuraiton on logstash :
filter {
split {
field => "series"
}
if [series][legend][0][fieldId] == 16 {
mutate {
convert => {"[series][legend][0][fieldId]" => "string"}
replace => ["[series][legend][0][fieldId]","Application"]
}
}
}

I can see on the debug that it is working apparently fine :
Jul 10 21:47:07 openswan logstash[10159]: }
Jul 10 21:47:07 openswan logstash[10159]: {
Jul 10 21:47:07 openswan logstash[10159]: "series" => {
Jul 10 21:47:07 openswan logstash[10159]: "legend" => [
Jul 10 21:47:07 openswan logstash[10159]: [0] {
Jul 10 21:47:07 openswan logstash[10159]: "fieldId" => "Application",
Jul 10 21:47:07 openswan logstash[10159]: "data" => {
Jul 10 21:47:07 openswan logstash[10159]: "status" => "VALID",
Jul 10 21:47:07 openswan logstash[10159]: "string" => "NTP (UDP)",
Jul 10 21:47:07 openswan logstash[10159]: "filterKey" => "app 'NTP/UDP'"

But I don't see anymore data in Kibana...
Any idas welcomed
Many thanks

belette · July 13, 2016, 10:01pm

A little up if anyone has any idea

Topic		Replies	Views
Filter if condition in Logstash Logstash	8	19413	July 24, 2019
Logstash mutate replace field Logstash	7	3384	May 16, 2017
[SOLVED] The filter plugin mutate-convert doesn't work in 5.0 Logstash	17	8866	December 9, 2016
Mutate - replace field string using another pattern Logstash	3	4287	December 26, 2016
How to convert datatype field from "string" to "integer" with mutate filter? Logstash	2	1326	September 4, 2018

Mutate change field to another

Related topics