Pattern: grok/mutate dont work?

kurdit · October 21, 2022, 3:15pm

hi all! i ran into a problem.
i have a pipeline:

input {
    tcp {
        host => "10.10.10.10"
        port => "5959"
        codec => "json"
        type => "my_type"
        mode => "server"
    }
}

filter {
 if [type] == "my_type" {
    grok {
        match => {"message" => ['\#%{GREEDYDATA:who}%{SPACE}#%{GREEDYDATA:what}\n\n%{GREEDYDATA}: %{GREEDYDATA:contact}%{SPACE} #%{GREEDYDATA:ident}\n%{GREEDYDATA}Cost:%{SPACE}%{DATA:cost}\n%{GREEDYDATA}Date:%{SPACE}%{DATE_EU:when}\n%{GREEDYDATA}Vacant:%{SPACE}%{DATA:vacant}\n(?<info>(.|\r|\n)*)\n\[%{GREEDYDATA}']
           }
       }

    mutate {
        gsub => [
            "what", "milkshake", "Milk 🥛",
            "what", "icecream", "Ice 🍦"
            ]  
        }
        
    mutate {
        gsub => [
            "cost", "-1", "?",
            "contact", "9", "+9"
            ]  
        }
    
    mutate {
        gsub => [
            "contact", "\+9", "tel:+9"
            ]  
        }
        
      if [date] {
            date {
                match => [ "date", "ISO8601", "YYYY-MM-dd'T'HH:mm:ss.ZZZ" ]
                target => "@timestamp"
                } }

    if "_grokparsefailure" in [tags] {
    drop {}
            }
    }
}

output {
    if [type] == "my_type" {
        elasticsearch {
            hosts => ["https://localhost:9200"]
            index => "my_type-%{+xxxx.ww}"
            ilm_rollover_alias => "my_type"
            ilm_policy => "my_type"
            ilm_enabled => "true"
            cacert => ["/etc/logstash/ca.crt"]
            user => "elastic"
            password => "password"
        }
    }
}

in the mutate section after the GROK i replace one word with another which will contain emoji and be capitalized

mutate {
        gsub => [
            "what", "milkshake", "Milk 🥛",
            "what", "icecream", "Ice 🍦"
            ]  
        }

but in elasticsearch in the "what" field I see that the word is substituted with a non-capital letter "milk " instead of "Milk "

I tried to force mutate for the capital letter, but that doesn't help either ("mutate" for the capital letter was placed after the "mutate" for replacement)

mutate {
        capitalize => [ "what" ]
    }

What can be wrong?

A_Mightiev · October 23, 2022, 3:49pm

Do you have something special in your index pattern mapping?

kurdit · October 23, 2022, 8:19pm

no, as far as i know, nothing special

A_Mightiev · October 23, 2022, 8:47pm

Maybe instead of gsub you could use the translate plugin?

kurdit · October 23, 2022, 8:50pm

sorry what plugin are you talking about?

Badger · October 23, 2022, 8:58pm

First verify that the problem is not in logstash by looking at what is produced by

output { stdout { codec => rubydebug } }

(or a file output with that codec). If the problem is on the elasticsearch side it could be an analyzer filter or a processor in an ingestion pipeline.

A_Mightiev · October 23, 2022, 9:50pm

This plugin

kurdit · October 23, 2022, 10:29pm

with Translate filter pluginedit the same - the word is inserted in lowercase

kurdit · October 23, 2022, 10:30pm

no, i dont have analyzer or a processor in an ingestion pipeline

Badger · October 23, 2022, 10:59pm

Does the rubydebug codec show it as uppercase or lowercase?

system · November 20, 2022, 10:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.