Rename fields using a dictionary

frank_esg · August 26, 2020, 8:44am

Hi Folks,

is it possible in Logstash to rename fields (received as json) based on a dictionary File? Basically the same function like the translate filter does, but not for values but for field names.

Background: At the moment our applications are sending there logs in json format to logstash. Problem is that the applications don´t use a unified fieldname set, some fieldnames are the same some not.
We´re now want to implement ECS to harmonize all Fields over all different Logtypes.
Because it would now take a very long time until all teams had converted all their applications to ecs-compliant logging, we would like to rename the old field names in logstash to the new ecs field names. For this we would like to use a dictionary just like the translate filter does.

Is this possible within Logstash?

regards,
Frank

Badger · August 26, 2020, 4:31pm

It is not built in but you could do it in a ruby filter. You can do anything in a ruby filter. You could also re-purpose the translate filter code and build a custom filter.

frank_esg · September 3, 2020, 2:20pm

Hi,

thank you for your Answer. Then i have to figure out how to do that with ruby.

regards,
Frank

system · October 1, 2020, 2:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.