Mutate filter doesn't work with error.message (heartbeat) field

Bozzerreaneaux · January 19, 2018, 3:07pm

Hello,

trying to do a quick filter to replace a given heartbeat field value based on the value of other field but it seems when the field has a dot in the name t error.message, the filter doesn't work:

works:

if [ip] == "10.10.11.25" {
	mutate {
		replace => [ "up", "true" ]
	}
}

doesn't work:

if [error.message] == "401 Unauthorized" {
	mutate {
		replace => [ "up", "true" ]
	}
}

Is there anything special about those types of fields or I am missing something here?

Thanks in advance,

--Boz

Bozzerreaneaux · January 19, 2018, 3:20pm

Sorry, got it to work. I just learned subfields existed. specifying [error][message] fixed it.

if [error][message] == "401 Unauthorized" {
mutate {
replace => [ "up", "true" ]
}
}

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references

system · February 16, 2018, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.