Mutate is not working as expected

Elastic Stack Logstash
1

Hello All ,

I am trying to convert MaxTasks field to Interger , I tried two ways here . Specifying the Number format in Grok filter also converting it to Integer using Mutate filter. But of no use. Anything wrong here ? please help.

    filter {

mutate 	{
      remove_field => [ "host" ]
		}


if "srvr_logs" in [tags] 
{
grok {
match => {"message" => "%{WORD:EventType}%{SPACE}%{WORD:EventSubType}%{SPACE}%{INT:Severity}%{SPACE}%{WORD:SARMID}%{NOTSPACE}%{SPACE}%{PROG:EventDate}%{SPACE}%{TIME:EventTime}%{SPACE}%{GREEDYDATA:LogMessage}"}
	}
}
else {

ruby 	{
            code => '
                event.set("message", event.get("message").split("\n"))
            '
				}
        split 	{
            field => "message"
				}
grok {
    match => {
      "message" => [
      #Most specific grok:
        "%{WORD:ServerName}%{SPACE}%{WORD:Comp_Alias}%{SPACE}%{WORD:CompStatus}%{SPACE}%{WORD:CompStartMode}%{SPACE}%{NUMBER:RunningTasks	}%{SPACE}%{NUMBER:MaxTasks}%{SPACE}%{GREEDYDATA:CompName}",
      #Less specific:
        "%{WORD:SBLSRVR_NAME}%{SPACE}%{WORD:SBLSRVR_STATE}"
     ]
  }

}
mutate {
         convert => { "MaxTasks" => "integer" }
       }  
}
       
}
2

Hello,
Have you created a new mapping for your index ?

3

Hello @grumo35 ,

Thanks for your reply. I have deleted the old indexes and restarted the logstash. Changed the grok filter as below. It worked . Thanks

%{WORD:ServerName}%{SPACE}%{WORD:Comp_Alias}%{SPACE}%{WORD:CompStatus}%{SPACE}%{WORD:CompStartMode}%{SPACE}%{NUMBER:RunningTasks:int }%{SPACE}%{NUMBER:MaxTasks:int}%{SPACE}%{GREEDYDATA:CompName}

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.