Tagging a document

chapmantrain · October 13, 2020, 12:21pm

With the logic below, I am getting a field in the document, a_device_customer_code = 'dupont', but the document is tagged with tags = '%{cust_code]'. Is there something I am over looking?

|t a_device_customer_code |||---|---|||dupont|
|t tags |||---|---|||syslog, shared, beats_input_codec_plain_applied, %{cust_code}|

        if "shared" in [tags] {
            mutate {
               add_field => { a_device_customer_code => "%{cust_code}" }
               add_tag => [ "%{cust_code}" ]

               remove_field => [ "cust_code" ]
            }
        }

Badger · October 13, 2020, 3:54pm

common options are applied in a fixed order -- add_field, remove_field, add_tag, remove_tag. By the time your add_tag option is applied the remove_field has already been applied. You will need to use two mutate filters to control the order.

chapmantrain · October 13, 2020, 4:13pm

Thanks Badger, didn't know that. I will apply appropriate controls from now on.

system · November 10, 2020, 4:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.