Mutate message in Logstash

Joseph-Gan-wk · May 19, 2020, 8:11am

Hi all,
I want to ask is that Logstash filtering support the case like this:-

value field is ABCDE, abcde, 12345, @#$%

if the value field is ABCDE and abcde,
then overwrite ABCE and abcde to 98765.

mutate {
	match => ["destination", "RSC 8 Entry Zone","RSC 8 Exit Zone","RSC ENTRY GENERAL ACCESS","RSC EXIT GENERAL ACCESS","RSC9 T1 MALE ENTRY TURNSTILE","RSC9 T1 MALE EXIT TURNSTILE" ]
	update => {"destination", "RSC"}
	}

*mutate filter is no support match
something like that, but i am not sure what method is suitable to use.

andres-perez · May 19, 2020, 9:31am

For just a couple of values as your introductory example, you may use a conditional block if [field] in ["ABCDE", "abcde"] {... with mutate - replace

If there is a bigger list of entries you want to replace with different values (in your configuration example, just a unique value for all the entries), you could also use a translate filter with a dictionary, which might be more readable and flexible.
Take care of the option override => true to actually overwrite the field.

Joseph-Gan-wk · May 21, 2020, 7:11am

@andres-perez
thanks, it works.

Topic		Replies	Views
Mutate - replace field string using another pattern Logstash	3	4394	December 26, 2016
Mutate filter Logstash	3	281	August 6, 2018
Logstash mutate replace field Logstash	7	3439	May 16, 2017
Logstash mutate replace filter fails Logstash	5	851	November 28, 2019
Converting value in field Logstash	3	232	December 15, 2020

Mutate message in Logstash

Related topics