Mutate -> Copy is not working as expected

FALEN · May 16, 2023, 8:53am

Im working on some json data, transforming and remapping fields
add_field, rename plugins are working as expected

But whenever im using copy, output does not include these [events][date], [env][app] fields. But does include [env][date]. That means field is not empty and format is proper i assume?
Also tried with an alternative, using add_field to produce target fields as empty to see if copy failing to create field in first place or not.

filter {
if [log][file][path] =~ "/var/log/trace/*" {
    mutate {
        copy => {
        "[type1][timestamp]" => "[events][date]"
        "[type1][tags][http.path]" => "[env][app]"
        }
        rename => {
        "[type1][timestamp]" => "[env][date]"
        }
        remove_field => ["^type1\."]
    }
  }
}

Updated to latest 8.x.x to test, same happens again

Badger · May 16, 2023, 2:42pm

A mutate filter processes options in a fixed order. rename is processed before copy. [type1][timestamp] will no longer exist when the filter tries to copy it, so it does not get copied. Use two mutate filters.

system · June 13, 2023, 2:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unknown setting copy for mutate Logstash	3	1700	September 5, 2017
[SOLVED] The filter plugin mutate-convert doesn't work in 5.0 Logstash	17	8866	December 9, 2016
Problem with "split" and "add_field" in mutate filter Logstash	5	5459	December 19, 2019
Correct way to use the mutate rename filter Logstash	5	4817	June 30, 2021
Add_field and copy data Logstash	8	17254	December 30, 2017

Mutate -> Copy is not working as expected

Related Topics