Replace multiple value in a specified field

f26227279 · June 6, 2018, 10:23am

Hi, I want to replace 6 to TCP and 17 to UDP in the PROTOCOL field.
this is my logstash config:

input{
        tcp{
                host => "163.19.X.X"
                port => 5510
                codec => json

        }
}
filter{
        if [PROTOCOL] == "6"{
             mutate{replace => {"PROTOCOL"=>"TCP"}}
          }
        if [PROTOCOL] == "17"{
             mutate{replace => {"PROTOCOL"=>"UDP"}}
          }
}
output{
elasticsearch {
                codec => "json"
                hosts => ["163.19.X.X:9200","163.19.X.X:9200","163.19.X.X:9200"]
                user => "elastic"
                password => "9ol./;p0"

        }

but it can't work.
plz help me

arkady_renko · June 7, 2018, 3:39pm

is PROTOCOL string or integer?

sample input would be helpful to debug.

Badger · June 7, 2018, 4:17pm

Or change the output to be 'stdout { codec => rubydebug }'. We can see that PROTOCOL is a string in Kibana, but that does not require that it is one in logstash. If rubydebug shows

PROTOCOL => 5

rather than

PROTOCOL => "5"

then you should change the if condition to match it

f26227279 · June 12, 2018, 1:13am

thanks for your reply !
I found the "PROTOCOL" default type is number, and I want to change it to string such as 6 to TCP.
How can I do?

this is the logstash debug log:

[2018-06-12T09:09:09,431][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.06.12", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x583a02c8>], :response=>{"index"=>{"_index"=>"logstash-2018.06.12", "_type"=>"doc", "_id"=>"CI2H8WMBuct0wI0D_4PU", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [PROTOCOL]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"TCP\""}}}}}

f26227279 · June 12, 2018, 2:55am

it can work now!
final config:

input{
        tcp{
                host => "163.19.XX.X"
                port => 5510
                codec => json

        }
}
filter{
        if [PROTOCOL]==6 {
             mutate{replace => {"PROTOCOL"=>"TCP"}}
          }
        if [PROTOCOL]==17 {
             mutate{replace => {"PROTOCOL"=>"UDP"}}
          }
        if [PROTOCOL]==1 {
             mutate{replace => {"PROTOCOL"=>"ICMP"}}
          }

}
output{
elasticsearch {
                codec => "json"
                hosts => ["163.19.X.XX:9200"]
        #user => "elastic"
        #password => "9ol./;p0"

        }

                stdout{codec=> rubydebug}

}

Badger · June 12, 2018, 6:59am

FYI a translate filter would be another way of doing this. For 3 values I don't think it matters which one you use.

system · July 10, 2018, 6:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.