Problem with add_tag

Arnodl · August 8, 2019, 12:07pm

Hello, I would like to change the tags field to a lowercase field.

My original message like this:
{ "@timestamp": "2019-08-08T13:33:38.86", "appid": "bla", "tags": [ "SUCC:AUTHEN"] }

My filter:
mutate {
rename => { "[tags]" => "[tags_tmp]" }
}

	if "SUCC" in [tags_tmp] {
		add_tag = ["succ"]
	}

OR
if [tags_tmp] =~ /SUCC/ {
add_tag = ["succ"]
}

My result:
"tags_tmp": ["SUCC:AUTHEN"],
"tags": ,

Why the tags field is empty??

BennyInc · August 8, 2019, 12:22pm

Have you tried the mutate filter lowercase option instead?

Arnodl · August 8, 2019, 12:27pm

no, tags must look like this :tags: ["succ","authen"]and not like this: tags: ["succ:authen"]

Jenni · August 8, 2019, 12:51pm

But if you followed Benny's suggestion and combined it with a split filter, you'd get what you want.

Badger · August 8, 2019, 1:00pm

The first one, using "in", fails because there is no member of the tags array that is exactly equal to "SUCC". For the second you would have to test against a member of the array

if [tags_tmp][0] =~ /SUCC/ { mutate { add_tag => ["succ"] } }

Arnodl · August 8, 2019, 2:07pm

ok almost works.

"tags_tmp": [ "SUCC:AUTHEN" ]

My filter:
if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
else if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
else if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}
if [tags_tmp][1] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
else if [tags_tmp][1] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
else if [tags_tmp][1] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}

My result: "tags": ["succ"], but why not "tags": ["succ","authen"] ??

Jenni · August 8, 2019, 2:20pm

There is no [tags_tmp][1] because there is only one entry (which is a string with multiple words).

if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}

Arnodl · August 8, 2019, 2:28pm

Great !
It's works:
if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}

Badger · August 8, 2019, 2:45pm

This is all going to be really fragile, because it can break if the initial message has more than one tags. That said, I would do it using

    mutate { copy => { "[tags][0]" => "[tags_tmp]" } }
    mutate { split => { "[tags_tmp]" => ":" } }
    mutate { lowercase => [ "tags_tmp" ] }

which gets you

  "tags_tmp" => [
    [0] "succ",
    [1] "authen"
],

system · September 5, 2019, 2:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.