Mutate - using the value of one field to set the name of another

Elastic Stack Logstash
1

The following fields come from an extract of a CEF format event in which is is possible to create custom fields and include labels for those fields relevant to a specific event. Labels may be different for different events For example in the event below a custom string field is called cs1 and the relevant label for this field in this event is stored as cs1Label:

"suser" => "[Public]",
"dvc" => "1.1.1.5",
"cs1" => "CEFTEST",
"cs1Label" => "Tree Name",
"cat" => "Security",
"flexNumber2Label" => "Grouping",
"host" => "1.1.1.5",
"cn2" => "1",
"duser" => "[Public]",
"cs6Label" => "Server Name",
"flexString2Label" => "SubEvent"

I am trying to use mutate to set the VALUE of the cs1Label field to be the NAME of the cs1 field. In other words according to the example above I want to rename cs1 to "TreeName" and remove the cs1Label field altogether. So I would have a field "TreeName" => "CEFTEST"

I am unable to find any syntax which will achieve this. Both the mutate rename and add_field commands seem only to recognise strings and not field references passed to them. Can anyone advise please?

2

Here is how I am currently doing this. Since the CN1, CS1, etc are set and should always be static I just rename the cs1 field to what the value of cs1Label is.

mutate {
 rename => { 
  "[cs1]" => "TreeName"           
  "[cs2]" => "XXX"  
  "[cs3]" => "XXX"  
  "[cs4]" => "XXX"  
 }
}

Then I remove all the label fields.

mutate { remove_field => [ "cn1Label", "cn2Label", "cs1Label", "cs2Label", "cs3Label", "cs4Label", "cs5Label", "cs6Label" ] }
3

If the set of fields is not known you would have to use ruby. I have not tested this, but something like

ruby {
    code => '
        event.to_hash.each { |k, v|
            newK = event.get("#{k}Label")
            if newK
                event.set(newK, v)
                event.remove(k)
                event.remove("#{k}Label"
            end
        }
    '
}
4

Mea culpa. Apologies. It works just fine - I had simply failed to eliminate the spaces from the label value and thus the intended field name was invalid. So for the record - although you may well be able to do this with ruby code, it is not necessary and you cannot rely on using fixed strings because CEF is an extensible format so different events may well - and in my case certainly do - have different values for the same label field for different events. Anyway problem solved, thanks for the replies and apologies for wasting your time!

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.