Translate filter is not working

Elastic Stack Logstash
1 
input {
  jdbc {
    jdbc_driver_library => "/usr/share/logstash/logstash-core/lib/jars/postgresql-42.7.3.jar"
    jdbc_driver_class => "org.postgresql.Driver"
    jdbc_connection_string => "jdbc:postgresql://db_ip:5432/cag"
    jdbc_user => "logstash"
    jdbc_password => "mypassword"
    schedule => "*/2 * * * *"  # runs every minute
    statement => "SELECT * FROM auth_lists WHERE id > :sql_last_value"
    use_column_value => true
    tracking_column => "id"
    tracking_column_type => "numeric"
    last_run_metadata_path => "/var/lib/logstash/.logstash_jdbc_last_run"
    #statement => "SELECT * FROM auth_lists;"
  }
}


filter {
  translate {
    field => "device_ip_address"
    destination => "location"
    dictionary_path => "/usr/share/logstash/ip_location.yml"
    exact => true
    fallback => "unknown"
  }
}

output {
  elasticsearch {
     hosts => ["https://ec1:9200","https://ec2:9200"]
          ssl_certificate_authorities => '/etc/logstash/certs/http_ca.crt'
          user => "logstash_user"
          password => "mypassword"
          manage_template => false
          data_stream => false
          #index => "postgres-data"
          #index => "log-cag-db-%{+YYYY.MM.dd}"
          ilm_rollover_alias => "log-cag-db"
          ilm_pattern => "{now/d}-000001"
          ilm_enabled => "true"
          ilm_policy => "cag-db_policy"


  }
}

example of ip_location.yml file:

"10.xx.xx.13": " CAG-New Delhi-New_Building-2F"
"10.xx.xx.14": " CAG-New Delhi-New_Building-5F"
"10.xx.xx.15": " CAG-New Delhi-New_Building-3F"

why it is not working

2

You will need to share the sample output of a document where you expected the translate filter to work, but it didnt, without it is not possible to troubleshoot.

1 Like
3 
{
  "_index": "log-cag-db-2025.06.19-000001",
  "_id": "uLEg-JcBLAcv2H4BYmXy",
  "_version": 1,
  "_score": 0,
  "_source": {
    "framed_ip_address": "10.47.180.148",
    "id": 118031,
    "device_ip_address": "10.47.171.230",
    "user_name": "shamsher.har.ae",
    "posture_status": "Compliant",
    "location": "",
    "status": 0,
    "endpoint_policy": "Windows10-Workstation",
    "remarks": "",
    "auth_acs_timestamp": "2025-07-11T10:13:25.926+05:30",
    "created_at": "2025-07-11T06:14:50.433459Z",
    "@timestamp": "2025-07-11T06:16:01.439047340Z",
    "@version": "1",
    "nas_port_id": "GigabitEthernet1/0/30",
    "calling_station_id": "8C:DC:D4:53:6C:10"
  },
  "fields": {
    "auth_acs_timestamp": [
      "2025-07-11T04:43:25.926Z"
    ],
    "device_ip_address.keyword": [
      "10.47.171.230"
    ],
    "user_name": [
      "shamsher.har.ae"
    ],
    "endpoint_policy": [
      "Windows10-Workstation"
    ],
    "created_at": [
      "2025-07-11T06:14:50.433Z"
    ],
    "framed_ip_address.keyword": [
      "10.47.180.148"
    ],
    "calling_station_id.keyword": [
      "8C:DC:D4:53:6C:10"
    ],
    "@version": [
      "1"
    ],
    "endpoint_policy.keyword": [
      "Windows10-Workstation"
    ],
    "id": [
      118031
    ],
    "nas_port_id.keyword": [
      "GigabitEthernet1/0/30"
    ],
    "framed_ip_address": [
      "10.47.180.148"
    ],
    "@version.keyword": [
      "1"
    ],
    "remarks.keyword": [
      ""
    ],
    "posture_status": [
      "Compliant"
    ],
    "user_name.keyword": [
      "shamsher.har.ae"
    ],
    "@timestamp": [
      "2025-07-11T06:16:01.439Z"
    ],
    "posture_status.keyword": [
      "Compliant"
    ],
    "location": [
      ""
    ],
    "device_ip_address": [
      "10.47.171.230"
    ],
    "nas_port_id": [
      "GigabitEthernet1/0/30"
    ],
    "calling_station_id": [
      "8C:DC:D4:53:6C:10"
    ],
    "location.keyword": [
      ""
    ],
    "remarks": [
      ""
    ],
    "status": [
      
    ]
  }
}

this is sample data coming from postgress database , now location field is empty here , I want to pick from either static location.yml file which is mapped with device ip address .or another way is pick location from antother table and show location in sample data with respect to device address.

4

Your translate filter has a fallback option, so that if the translation is applied the document will have either a value from the dictionary or the fallback value. Since your document has neither, it suggests the translation was not applied, which will happen if the field exists before the translate filter is called.

You can use the override option to force the target fields to be overwritten.

1 Like