Remove part of field name in Logstash

gasmi · December 11, 2017, 10:22am

I am using Logstash 6.0.0

I am receiving metrics with different application Ids. How can I delete the application Id in the field name?

application_1512057801087_0235.driver.BlockManager.memory.maxMem_MB => driver.BlockManager.memory.maxMem_MB

paz · December 11, 2017, 1:40pm

A quick solution would be some custom Ruby code, especially if you don't know the application id patterns beforehand, like

ruby {
    code => "
        event.set('fieldname', event.get('fieldname').split('.')[1..-1].join('.'))
    "
}

It's kinda overkill, but it works (unless there are dots in the application id itself).

gasmi · December 11, 2017, 4:53pm

Ho w can I indicate that the ruby code applies only on field starting with "application_..."

filter {
    if [type] == "spark" {
         ruby {
                code => "event.set('fieldname', event.get('fieldname').split('.')[1..-1].join('.')"
         }
    }
}

magnusbaeck · December 12, 2017, 6:32am

With a dynamic field name you'll have to iterate over all fields.

if event.to_hash.each { |k, v|
  if k.start_with? 'application_'
    event.set('application', v)
    event.remove(k)
    break
  end
}

system · January 9, 2018, 6:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash name fields Logstash	4	659	July 6, 2017
How to dynamic parse fieldname and replace? Logstash	3	1317	June 20, 2019
Rename a field that has variable in name Logstash	2	1540	July 6, 2017
Logstash 2.1: Dynamically Altering Field Names Logstash	6	1614	July 6, 2017
Remove part of field name from json inputted fields Logstash	9	3826	July 6, 2017

Remove part of field name in Logstash

Related topics