Renaming fields wild card logstash

Paulo64 · July 8, 2019, 5:40pm

Hello,

From what I have read, there is not yet wild card associated with fields to use with "mutate".
In my logstash config, I am doing something like this :

filter {
    mutate {
        rename => ["Site.Equipment.Metric", "Metric" ]
    }
}

Since all my fields are generated dynamically (Site(x),Equipement(x),Metric(x)), I would like to be able to rename all incoming fields like this :

filter {
    mutate {
        rename => ["*.Whatever", "Whatever" ]
    }
}

I tried unsuccessfully using a ruby filter, splitting with and "." and keeping the last value of the array and removing the key and reassigning.

Is there a workaround to do this ?
Have you any clean solution to this issue ?

Thank you for your help,

Badger · July 8, 2019, 6:11pm

Do you field names really have dots in them or are they fields nested within objects? If they contain dots then you can do it using

    ruby {
        code => '
            event.to_hash.each { |k, v|
                event.remove(k)
                newK = k.sub(/.*\.([^\.]+)$/, "\\1")
                event.set(newK, v)
            }
        '
    }

Paulo64 · July 9, 2019, 9:00am

Thank you very much, works like a charm

system · August 6, 2019, 9:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.