Mutate rename filter not working on nested fields

Justin_Doles · November 8, 2019, 4:35pm

I'm likely missing something simple, but I cannot seem to get the rename filter to work with my data. The field I'm attempting to rename is nested. It doesn't error, but it also doesn't do anything. I am able to rename a field that isn't nested (e.g.) without issue.
Below is my test config:

input {
	file {
		codec => multiline {
          pattern => '^\{'
          negate => true
          what => "previous"
        }
		path => "c:/logstash/test.json"
		start_position => "beginning"
		mode => "read"
		file_completed_action => "log"
		file_completed_log_path => "c:/logstash/test2.json"
		sincedb_path => "NUL"
	}
}

filter {
	json {
		source => message
	}
	mutate {
		rename => {
			"[destination][as][asn]" => "[destination][as][number]"
			"[destination][as][as_org]" => "[destination][as][organization][name]"
		}
	}
}

output {
	stdout { codec => rubydebug }
}

Here is the file I'm testing with:

{
	"source.as": {
		"asn": 4134,
		"ip": "118.182.21.13",
		"as_org": "No.31,Jin-rong Street"
	},
	"agent.name": "LOGSTASH",
	"source.interface": "X1",
	"@version": "1",
	"message": "Connection Opened",
	"source.ip": "118.182.21.13",
	"destination.port": "1433",
	"network.transport": "tcp",
	"source.geo": {
		"timezone": "Asia/Shanghai",
		"ip": "118.182.21.13",
		"longitude": 103.7922,
		"latitude": 36.0564,
		"location": {
			"lat": 36.0564,
			"lon": 103.7922
		},
		"region_name": "Gansu",
		"country_name": "China",
		"continent_code": "AS",
		"region_code": "GS",
		"country_code3": "CN",
		"country_code2": "CN"
	},
	"destination.interface": "X1",
	"agent.type": "logstash",
	"@timestamp": "2019-11-08T11:36:57.000Z",
	"observer.type": "firewall",
	"source.port": "55705",
	"destination.geo": {
		"city_name": "A City",
		"timezone": "America/New_York",
		"ip": "1.1.1.1",
		"longitude": 74.0060,
		"latitude": 40.7128,
		"location": {
			"lat": 40.7128,
			"lon": 74.0060
		},
		"postal_code": "90210",
		"region_name": "New York",
		"continent_code": "NA",
		"country_name": "United States",
		"region_code": "NY",
		"dma_code": 123,
		"country_code3": "US",
		"country_code2": "US"
	},
	"id": "fwidname",
	"destination.as": {
		"asn": 1234,
		"ip": "1.1.1.1",
		"as_org": "AS Org Name"
	},
	"tags": [
		"syslog",
		"firewall"
	],
	"host.ip": "192.168.0.1",
	"observer.vendor": "firewall",
	"log.original": "LOG ENTRY",
	"observer.ip": "192.168.0.1",
	"destination.ip": "1.1.1.1",
	"observer.serial_number": "ABCD1234"
}

Badger · November 8, 2019, 4:42pm

You have field names with periods in them. That one would be [destination.as][asn]

Justin_Doles · November 8, 2019, 7:16pm

facepalm I knew I was missing something simple. Switching the fields over worked. Thanks.

system · December 6, 2019, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.