Problem with add_tag

Arnodl · August 8, 2019, 12:07pm

Hello, I would like to change the tags field to a lowercase field.

My original message like this:
{ "@timestamp": "2019-08-08T13:33:38.86", "appid": "bla", "tags": [ "SUCC:AUTHEN"] }

My filter:
mutate {
rename => { "[tags]" => "[tags_tmp]" }
}

	if "SUCC" in [tags_tmp] {
		add_tag = ["succ"]
	}

OR
if [tags_tmp] =~ /SUCC/ {
add_tag = ["succ"]
}

My result:
"tags_tmp": ["SUCC:AUTHEN"],
"tags": ,

Why the tags field is empty??

BennyInc · August 8, 2019, 12:22pm

Have you tried the mutate filter lowercase option instead?

Arnodl · August 8, 2019, 12:27pm

no, tags must look like this :tags: ["succ","authen"]and not like this: tags: ["succ:authen"]

Jenni · August 8, 2019, 12:51pm

But if you followed Benny's suggestion and combined it with a split filter, you'd get what you want.

Badger · August 8, 2019, 1:00pm

The first one, using "in", fails because there is no member of the tags array that is exactly equal to "SUCC". For the second you would have to test against a member of the array

if [tags_tmp][0] =~ /SUCC/ { mutate { add_tag => ["succ"] } }

Arnodl · August 8, 2019, 2:07pm

ok almost works.

"tags_tmp": [ "SUCC:AUTHEN" ]

My filter:
if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
else if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
else if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}
if [tags_tmp][1] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
else if [tags_tmp][1] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
else if [tags_tmp][1] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}

My result: "tags": ["succ"], but why not "tags": ["succ","authen"] ??

Jenni · August 8, 2019, 2:20pm

There is no [tags_tmp][1] because there is only one entry (which is a string with multiple words).

if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}

Arnodl · August 8, 2019, 2:28pm

Great !
It's works:
if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}

Badger · August 8, 2019, 2:45pm

This is all going to be really fragile, because it can break if the initial message has more than one tags. That said, I would do it using

    mutate { copy => { "[tags][0]" => "[tags_tmp]" } }
    mutate { split => { "[tags_tmp]" => ":" } }
    mutate { lowercase => [ "tags_tmp" ] }

which gets you

  "tags_tmp" => [
    [0] "succ",
    [1] "authen"
],

system · September 5, 2019, 2:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add_tag Logstash	10	5159	July 6, 2017
Append tag in Elasticsearch using Logstash Logstash	7	4067	October 26, 2018
Logstash add_field Logstash	7	37584	July 6, 2017
[SOLVED] The filter plugin mutate-convert doesn't work in 5.0 Logstash	17	8866	December 9, 2016
Please help, I cannot add two tags without replacing the tag that added first Logstash	3	384	January 14, 2019

Problem with add_tag

Related Topics