Mutate filter doesn't work with error.message (heartbeat) field

Bozzerreaneaux · January 19, 2018, 3:07pm

Hello,

trying to do a quick filter to replace a given heartbeat field value based on the value of other field but it seems when the field has a dot in the name t error.message, the filter doesn't work:

works:

if [ip] == "10.10.11.25" {
	mutate {
		replace => [ "up", "true" ]
	}
}

doesn't work:

if [error.message] == "401 Unauthorized" {
	mutate {
		replace => [ "up", "true" ]
	}
}

Is there anything special about those types of fields or I am missing something here?

Thanks in advance,

--Boz

Bozzerreaneaux · January 19, 2018, 3:20pm

Sorry, got it to work. I just learned subfields existed. specifying [error][message] fixed it.

if [error][message] == "401 Unauthorized" {
mutate {
replace => [ "up", "true" ]
}
}

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references

system · February 16, 2018, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash mutate replace field Logstash	7	3384	May 16, 2017
Some problem of if and mutate in logstash filter Logstash	7	457	June 5, 2018
Why is this (specific) mutate not working? Logstash	11	1587	March 19, 2020
Mutate rename filter not working on nested fields Logstash	3	617	December 15, 2020
Bug or my usage of Mutate filter? Logstash	3	675	July 6, 2017

Mutate filter doesn't work with error.message (heartbeat) field

Related topics