Problem with split add field

Badger · November 19, 2020, 4:57pm

A mutate filter does things in a fixed order, and copy comes after split, so when split executes the [tmp_message] field does not exist.

Break your mutate into two filters, with copy in the first and split and add_field (which is done last) in the second. I would do it as

mutate {
    copy => { "cefmessage" => "[@metadata][cefmessage]" }
}
mutate {
    split => { "[@metadata][cefmessage]" =>  "|" }
    add_field => {
        "cef_device_vendor" => "%{[@metadata][cefmessage][1]}"
        "cef_device_product" => "%{[@metadata][cefmessage][3]}"
        "cef_device_version" => "%{[@metadata][cefmessage][4]}"
    }
}

Fields under [@metadata] are not indexed.

If you want to parse all of the CEF data then you may be able to do it using the cef codec.

Topic		Replies	Views
Logstash doesn't want to split my CEF events Logstash	1	323	November 4, 2019
Problem with "split" and "add_field" in mutate filter Logstash	5	5472	December 19, 2019
Geoip doen't create field correctly Logstash	3	671	January 13, 2020
Create fields by splitting a log Logstash	8	1226	April 2, 2020
How to use split filter on the field using logstash Logstash	5	6148	March 27, 2019

Problem with split add field

Related topics