Rename a field that has variable in name

spuder · December 15, 2015, 10:29pm

What would be the best way to remove a nested field that has a variable in its name?

For example, the logs I'm parsing as json

{
  "foo": {
    "bar(987234)": "derp"
  }
}

Represented as nested field

[foo][bar(2349871)]

I want to strip out the random numbers.

[foo][bar]

I'm ok to throw the numbers away, but I'd like to preserve them if possible.

Here is what I've tried.

  mutate {
    rename => { "[foo][bar*]" => "[foo][bar]" }
  }

or

  mutate {
    rename => { "[foo][bar%{*}]" => "[foo][bar]" }
  }

or

  mutate {
    rename => { "[foo][bar(*)]" => "[foo][bar]" }
  }

From the documentation it appears that these should work.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-split

magnusbaeck · December 16, 2015, 6:55am

You'll have to use a ruby filter for this. Iterate over the keys in event['foo'], see if they match somestring(somenumber) and if so add a new hash with just somestring as the key and delete the old entry.

From the documentation it appears that these should work.

Where does the documentation indicate that wildcards are supported?

Topic		Replies	Views
Renaming fields wild card logstash Logstash	3	2215	August 6, 2019
Renaming multiple fields that are nested Logstash	4	1020	April 8, 2022
Mutate rename filter not working on nested fields Logstash	3	2392	December 6, 2019
Mutate rename filter not working on nested fields Logstash	3	617	December 15, 2020
Rename json nested fields using mutate Logstash	5	448	September 1, 2023

Rename a field that has variable in name

Related topics