Split field and add new fields

jtillman2020 · January 28, 2021, 9:48pm

I have a string field named "One".

<165>Original Address=1.1.1.1 1 2021-01-28T15:08:03.136-05:00 DeviceName - - - - fpc3 DHCP Packet Drop: Packet src ip/mac 192.168.123.1/54:48:10:db:86:b6

I use

mutate {
     split => {"One" => " "}
}

To split on the space. Which looks like this:

<165>Original, Address=1.1.1.1, Jan, 28, 16:38:42, DeviceName, fpc3, DHCP, Packet, Drop:, Packet, src, ip/mac, 192.168.123.1/54:48:10:db:86:b6

I then use

mutate {
    add_field => { "Hostname" => "%{One[5]}" }
}

To create a new field named "Hostname" and use the data in index 5 of the "One" field. However, I get this error in the logstash logs:

Exception caught while applying mutate filter {:exception=>"Invalid FieldReference: `One[5]`"}

According to this documentation, it should work:

Badger · January 29, 2021, 1:34pm

The documentation is out of date. The field reference should be

"%{[One][5]}"

References without square brackets was disallowed a few versions back.

jtillman2020 · January 29, 2021, 1:36pm

That worked. Hopefully the documentation will get updated. One more thing. Once I split on the space:

<165>Original, Address=1.1.1.1, Jan, 28, 16:38:42, DeviceName, fpc3, DHCP, Packet, Drop:, Packet, src, ip/mac, 192.168.123.1/54:48:10:db:86:b6

Is there a way to retrieve just the three indexes at "DHCP, Packet, Drop" then combine them into one new field named "EventType"? So I would have "EventType: DHCP Packet Drop".

Badger · January 29, 2021, 5:01pm

Use mutate+add_field with multiple sprintf references

mutate {
    add_field => { "Hostname" => "%{[One][6]} %{[One][7]} %{[One][8]}" }
}

system · February 26, 2021, 5:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.