sbocquet
(Stéphane BOCQUET)
January 31, 2025, 10:24am
1
Hi,
Is it possible to remove all tags in the [tags] field at one time ?
I have this filter :
# Transfert junk to the garbage datastream
if [Severity] == "DEBUG" {
mutate {
update => { "[data_stream][dataset]" => "garbage" }
remove_tag => [
"_grok_windows_success",
"_grok_windows_nomatch",
"_grok_IIS_success",
"_grok_IIS_nomatch",
"_grok_apache_success",
"_grok_apache_nomatch"
]
add_tag => [ "_grok_garbage_debug_success" ]
}
}
I have tried to replace all the values with :
mutate {
replace => { "tags" => [] }
}
but the result is that the tags field have " " in it !
Any advice how I can do it ?
leandrojmp
(Leandro Pereira)
January 31, 2025, 12:21pm
2
If you want to remove all tags, you can just remove the entire field.
mutate {
remove_field => ["tags"]
}
sbocquet
(Stéphane BOCQUET)
January 31, 2025, 12:34pm
3
Hi,
Thanks for your answer.
The fact is that I want to keep the "tags" field to put another tag in it after cleaning... as in the example above.
leandrojmp
(Leandro Pereira)
January 31, 2025, 1:15pm
4
You can use something like this:
if [Severity] == "DEBUG" {
mutate {
update => { "[data_stream][dataset]" => "garbage" }
remove_field => ["tags"]
}
mutate {
add_tag => [ "_grok_garbage_debug_success" ]
}
}
This way the first mutate remove the field and the second add the tag.
You cannot do both in the same mutate because the sequence of operation needs to be preserved, and in this case you need different mutate blocks.
1 Like
Rios
(Rios)
January 31, 2025, 1:33pm
6
Also you have possibility custom tags:
tag_on_failure - Default value is ["_grokparsefailure"]
tag_on_timeout - Default value is "_groktimeout"
Just add in the grok structure.