Replace dots in field names for ES 2.0

juerkan · October 14, 2015, 6:55pm

Dear logstash pro's
We produce logs and we use logstash to bring it into elasticsearch.
There hundrets of dynamic produced field names with a dot inside. (not nestet fields)
And we have field names with no dots.
for example:
originator.id1 = 27
caseid = 1235
originator.res1 =346
originator.case142 = 341
is there a way in logstash to replace a dot in a field name dynamicly.
something like:
If in the field name is a dot, replace it with a under score.
output should be:
originator_id1 = 27
caseid = 1235
originator_res1 =346
originator_case142 = 341

i played with the gsub filter plugin, but without success
help me out, please

juerkan · October 14, 2015, 7:20pm

i forget:
a field name can consist more than one dot.
for example:
mass.originator.2.type

thx

magnusbaeck · October 14, 2015, 7:23pm

The mutate filter's gsub option works on field values, not field names. You need to use the ruby filter for this and write some custom Ruby code.

juerkan · October 28, 2015, 1:36pm

Hi, many thanks for your advice,
I tried...... but, i'm not a ruby ninja

Is there someone out there, who can help me with this ruby code

i think other people will have the same problem (dots in field names) with ES2.0

thank you and greetings from austria

Topic		Replies	Views
Migrating fields with dots for ES 2.0 upgrade Elasticsearch	4	1187	July 5, 2017
Removing field from mapping Elasticsearch	4	10941	July 5, 2017
Field names with dots Logstash	4	1534	July 6, 2017
Dots in Fieldnames => ES 2.X Upgrade will fail? Elasticsearch	4	744	July 5, 2017
ES 2.1.2: Handling bad field names Elasticsearch	3	789	July 5, 2017

Replace dots in field names for ES 2.0

Related Topics