Hi,
I'm using kv filter in order to extract several fields out of "attributes" field, which works just fine.
But then, I need to apply a mutate filter (rename in my case on one of this key-value pair that was extracted)
I tried the following:
json {
source => "message"
}
grok {
match => [ "message", "%{DATESTAMP:time}|\s+%{DATA:trackingid}|\s+%{DATA:attributes}|\s+%{NUMBER:responsetime}?" ]
add_field => {
"level" => "info"
"application_name" => "sample_app"
}
}
kv {
source => "attributes"
field_split => ", "
}
mutate {
rename => { "originalValue" => "newValue" }
}
The "originalValue" exists in the attributes, but the rename is not working in that case.
Any suggestions?
Thanks!