Mutate message in Logstash

Joseph-Gan-wk · May 19, 2020, 8:11am

Hi all,
I want to ask is that Logstash filtering support the case like this:-

value field is ABCDE, abcde, 12345, @#$%

if the value field is ABCDE and abcde,
then overwrite ABCE and abcde to 98765.

mutate {
	match => ["destination", "RSC 8 Entry Zone","RSC 8 Exit Zone","RSC ENTRY GENERAL ACCESS","RSC EXIT GENERAL ACCESS","RSC9 T1 MALE ENTRY TURNSTILE","RSC9 T1 MALE EXIT TURNSTILE" ]
	update => {"destination", "RSC"}
	}

*mutate filter is no support match
something like that, but i am not sure what method is suitable to use.

andres-perez · May 19, 2020, 9:31am

For just a couple of values as your introductory example, you may use a conditional block if [field] in ["ABCDE", "abcde"] {... with mutate - replace

If there is a bigger list of entries you want to replace with different values (in your configuration example, just a unique value for all the entries), you could also use a translate filter with a dictionary, which might be more readable and flexible.
Take care of the option override => true to actually overwrite the field.

Joseph-Gan-wk · May 21, 2020, 7:11am

@andres-perez
thanks, it works.

system · June 18, 2020, 7:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.