Hello, I would like to change the tags field to a lowercase field.
My original message like this:
{ "@timestamp": "2019-08-08T13:33:38.86", "appid": "bla", "tags": [ "SUCC:AUTHEN"] }
My filter:
mutate {
rename => { "[tags]" => "[tags_tmp]" }
}
if "SUCC" in [tags_tmp] {
add_tag = ["succ"]
}
OR
if [tags_tmp] =~ /SUCC/ {
add_tag = ["succ"]
}
My result:
"tags_tmp": ["SUCC:AUTHEN"],
"tags": ,
Why the tags field is empty??
no, tags must look like this :tags: ["succ","authen"]and not like this: tags: ["succ:authen"]
But if you followed Benny's suggestion and combined it with a split filter, you'd get what you want.
The first one, using "in", fails because there is no member of the tags array that is exactly equal to "SUCC". For the second you would have to test against a member of the array
if [tags_tmp][0] =~ /SUCC/ { mutate { add_tag => ["succ"] } }ok almost works.
"tags_tmp": [ "SUCC:AUTHEN" ]
My filter:
if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
else if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
else if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}
if [tags_tmp][1] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
else if [tags_tmp][1] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
else if [tags_tmp][1] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}
My result: "tags": ["succ"], but why not "tags": ["succ","authen"] ??
There is no [tags_tmp][1] because there is only one entry (which is a string with multiple words).
if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}Great !
It's works:
if [tags_tmp][0] =~/SUCC/ {
mutate { add_tag => ["succ"] }
}
if [tags_tmp][0] =~/FAIL/ {
mutate { add_tag => ["fail"] }
}
if [tags_tmp][0] =~/AUTHEN/ {
mutate { add_tag => ["authen"] }
}
This is all going to be really fragile, because it can break if the initial message has more than one tags. That said, I would do it using
mutate { copy => { "[tags][0]" => "[tags_tmp]" } }
mutate { split => { "[tags_tmp]" => ":" } }
mutate { lowercase => [ "tags_tmp" ] }
which gets you
"tags_tmp" => [
[0] "succ",
[1] "authen"
],Ā© 2018. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or otherĀ countries.