Repeated values with mutate filter in nested json output

fraescaya10 · January 27, 2016, 10:46pm

I have the following input log:
.... proto=6 source=10.13.30.47 ....

I need the following output in json:

"data": {
    "key1": {
        "src": "10.13.30.47",
        "proto": 6
     },
    "key2": {
        "src": "10.13.30.47"
        "proto": 6
    }
}

I used the mutate filter to do this

mutate {
    rename => { "proto" => "[data][key1][proto]" }
    rename => { "proto" => "[data][key2][proto]" }
    rename => { "source" => "[data][key1][src]" }
    rename => { "source" => "[data][key2][src]" }
}

but when i use logstash with this configuration, the console output is :

{
    "\"":
    {
        "data":
        {
            "key1":
            {
                "proto":
                {
                    "\", \"":
                    {
                        "data":
                        {
                            "key2":
                            {
                                "proto":
                                {
                                    "\"": "6"
                                }
                            }
                        }
                    }
                },
                "src":
                {
                    "\", \"":
                    {
                        "data":
                        {
                            "key2":
                            {
                                "src":
                                {
                                    "\"": "10.13.30.47"
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}

magnusbaeck · January 28, 2016, 7:07am

I can't explain this behavior, but trying to rename the same field multiple times doesn't seem like a good idea to me. I'd try this:

mutate {
  add_field => {
    "[data][key1][proto]" => "%{proto}"
    "[data][key1][src]" => "%{src}"
  }
}
mutate {
  rename => {
    "proto" => "[data][key2][proto]"
    "src" => "[data][key2][src]"
  }
}

fraescaya10 · January 28, 2016, 3:38pm

Thank you, that solves the problem for me, thank you very much.

Topic		Replies	Views
Mutate rename filter not working on nested fields Logstash	3	2392	December 6, 2019
Nested json using logstash mutate filter Logstash	2	1030	September 20, 2019
Logstash rename json fields Logstash	7	653	March 15, 2023
Mutate rename filter not working on nested fields Logstash	3	617	December 15, 2020
Renaming multiple fields that are nested Logstash	4	1021	April 8, 2022

Repeated values with mutate filter in nested json output

Related topics