Problem with split add field

Badger · November 19, 2020, 4:57pm

A mutate filter does things in a fixed order, and copy comes after split, so when split executes the [tmp_message] field does not exist.

Break your mutate into two filters, with copy in the first and split and add_field (which is done last) in the second. I would do it as

mutate {
    copy => { "cefmessage" => "[@metadata][cefmessage]" }
}
mutate {
    split => { "[@metadata][cefmessage]" =>  "|" }
    add_field => {
        "cef_device_vendor" => "%{[@metadata][cefmessage][1]}"
        "cef_device_product" => "%{[@metadata][cefmessage][3]}"
        "cef_device_version" => "%{[@metadata][cefmessage][4]}"
    }
}

Fields under [@metadata] are not indexed.

If you want to parse all of the CEF data then you may be able to do it using the cef codec.

Topic		Replies	Views
Logstash doesn't want to split my CEF events Logstash	1	323	November 4, 2019
Problem with "split" and "add_field" in mutate filter Logstash	5	5461	December 19, 2019
Create fields by splitting a log Logstash	8	1226	April 2, 2020
Split field and add new fields Logstash	4	1031	February 26, 2021
Split message logstash elasticsearch Logstash	3	679	March 8, 2022

Problem with split add field

Related Topics