Processing sequence for logstash - filter - mutate

Hi there,

The filter mutate has a processing order according to the docs here.

I would like to know the order within the rename itself.

Scenario: I am trying to ecs Windows Security Logs with logstash-mutate.

There are over >300 fields in this index which would typically mean >300 rename mutations in logstash. However some events are seen more often than some others, does it provide any improved performance to have the more common fields at the top of the sequence (re:Auditd rules).
Running tests in my lab doesnt show any considerable perf issues but im curious to know how logstash functions behaves behind the hood before deployment into production or if there are any ways to optimize it.

There might be a smarter way of doing this, any suggestions are welcome.


rename => { "[event_data][LocalAddresses]"          => "[event_data][local][addresses]" }
rename => { "[event_data][LocalKeyModPort]"         => "[event_data][local][key_mod_port]" }
rename => { "[event_data][LocalMMPrincipalName]"    => "[event_data][local][mm_principal_name]" }
rename => { "[event_data][LocalOnlyMapped]"         => "[event_data][local][only_mapped]" }
rename => { "[event_data][LocalPorts]"              => "[event_data][local][ports]" }
rename => { "[event_data][LocationInformation]"     => "[event_data][location_information]" }
rename => { "[event_data][LockoutDuration]"         => "[event_data][lockout_duration]" }
rename => { "[event_data][LockoutObservationWindow]"   => "[event_data][lockout_observation_window]" }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.