Rename field value of int with string name

John_Lim · June 20, 2019, 9:20pm

Hello all,
Please provide some tips regarding grok mutate issue.

1.) I created a Kibana dashboard but it will make more sense if I can rename the field value. For instance the action type of Web Security Gateway logs shows number (i.e. 0,1,2,3, etc), instead of showing number, how can I convert the value to (0=allowed, 1=denied, etc)..

for example:

filter {
if [type] == "syslog" {
grok {
match => { "message" => ["%{NUMBER:action_type} %{GREEDYDATA:protocol}" ] }
remove_field => "message"
if [action_type] == 0} {
mutate {
replace => [ "action_type", "allowed" ]
}
}
else if [action_type] == 1} {
mutate {
replace => [ "action_type", "denied" ]
.......
.......
}
}
}
}

Badger · June 20, 2019, 9:40pm

The translate filter documentation has an example similar to this. Make sure you read about the override option on that filter.

John_Lim · June 25, 2019, 1:58pm

Thanks, appreciate it....

Topic		Replies	Views
Converting value in field Logstash	3	228	December 15, 2020
Mutate plugin in Grok Filter Logstash	10	4753	November 2, 2017
How to assign a new field a certain type and value? Logstash	3	17067	July 6, 2017
Filter to change the field name to be more user friendly Logstash	3	266	October 6, 2021
Mutate rename using field value Logstash	3	763	January 12, 2022

Rename field value of int with string name

Related topics