Rename field value of int with string name

John_Lim · June 20, 2019, 9:20pm

Hello all,
Please provide some tips regarding grok mutate issue.

1.) I created a Kibana dashboard but it will make more sense if I can rename the field value. For instance the action type of Web Security Gateway logs shows number (i.e. 0,1,2,3, etc), instead of showing number, how can I convert the value to (0=allowed, 1=denied, etc)..

for example:

filter {
if [type] == "syslog" {
grok {
match => { "message" => ["%{NUMBER:action_type} %{GREEDYDATA:protocol}" ] }
remove_field => "message"
if [action_type] == 0} {
mutate {
replace => [ "action_type", "allowed" ]
}
}
else if [action_type] == 1} {
mutate {
replace => [ "action_type", "denied" ]
.......
.......
}
}
}
}

Badger · June 20, 2019, 9:40pm

The translate filter documentation has an example similar to this. Make sure you read about the override option on that filter.

John_Lim · June 25, 2019, 1:58pm

Thanks, appreciate it....

system · July 23, 2019, 1:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mutate plugin in Grok Filter Logstash	10	4653	November 2, 2017
How to convert datatype field from "string" to "integer" with mutate filter? Logstash	2	1326	September 4, 2018
Rename a field value in Kibana Kibana	5	4474	July 6, 2017
Mutate --> convert doesn't work Logstash	4	497	April 27, 2020
Append a string to a field after mutate convert filter Logstash	4	219	July 19, 2023

Rename field value of int with string name

Related topics