Need help with metricbeat field update

Jonny_Reyes · November 25, 2019, 9:28pm

Hi,

I'm trying to replace a string value (process status that has values like running or stopped) but i'm failing. I only want to update "running" as an 1 and "stopped" as a 0.

I've testing with filters like:

filter {
  if [system.process.state] == "stopped" {
    mutate { replace => { "system.process.state" => "0" } }
  }
}

But always still viewing the string value running or stopped
thanks,

Badger · November 25, 2019, 9:42pm

Do you really have periods in your fieldname, or should that be [system][process][state]?

Jonny_Reyes · November 26, 2019, 11:09am

I'm reading de document finally inserted on elasticsearch, is a json that has this syntax:

{
  "_index": "metricbeat-6.5.4-2019.11.26",
  "_type": "doc",
  "_id": "T5UNp24BtRui5WSZ1hDF",
  "_score": 1,
  "_source": {
    "@timestamp": "2019-11-26T09:32:11.390Z",
    "meta": {
      "cloud": {
        "instance_name": "redis",
        "project_id": "production",
        "provider": "gce"
      }
    },
    "metricset": {
      "rtt": 39421,
      "name": "process",
      "module": "system"
    },
    "system": {
      "process": {
        "username": "redis",
        "cwd": "/var/lib/redis",
        "ppid": 1,
        "pgid": 16714,
        "state": "sleeping",
        "memory": {
          "share": 2695168,
          "size": 1971220480,
          "rss": {
            "bytes": 1112805376,
            "pct": 0.1418
          }
        }
      }
    },
    "beat": {
      "hostname": "redis",
      "version": "6.5.4",
      "name": "redis"
    },
    "host": {
      "architecture": "x86_64",
      "os": {
        "family": "debian",
        "codename": "stretch",
        "platform": "debian",
        "version": "9 (stretch)"
      },
      "id": "12ed2528bcc2bad5d928af1067fb84dc",
      "containerized": false,
      "name": "redis"
    }
  }
}

And i want to replace the system.process.state that could be running, stopped, etc to an integer value. But i don't know if i have to specifi the [_source] nor if I have to put the syntax [_source] [system] [process] [state] OR system.process.state

Badger · November 26, 2019, 1:30pm

It is a nested field, so you should use [system] [process] [state] in logstash.

system · December 24, 2019, 1:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alter filed in logstash filter for Metricbeat Logstash	2	1199	March 1, 2018
Metricbeat 7.17.20 cannot index logstash metrics into Elasticsearch Beats docker , metricbeat	1	147	April 26, 2024
Issue with the fileds.env value Beats metricbeat	5	370	May 3, 2019
Logstash grok to match the metricbeat type and add field Logstash	9	4490	April 4, 2018
Trying to drop Metricbeat events in Logstash Logstash	2	425	November 23, 2017

Need help with metricbeat field update

Related topics