Hi,
I'm using the translation filter to look up some values. This works but the issue I'm running into is that I want to keep the original field untouched so I need to copy the field and replace the value in the new field with the dictionary file value if an entry exists or otherwise keep the original value.
I'm trying to use an IF statement to check if the field exists and surely this works, if the field exists a new field with the same value is created. But for some reason when using the IF statement the translate filter doesn't working anymore.
input {
udp {
port => 9995
type => "netflow"
codec => netflow {
versions => [9]
}
}
}
filter {
mutate {
add_field => {
"[netflow][ipv4_dst_host]" => "%{[netflow][ipv4_dst_addr]}"
"[netflow][ipv4_src_host]" => "%{[netflow][ipv4_src_addr]}"
}
}
if ([netflow][l4_dst_port]) {
mutate {
add_field => {
"[netflow][l4_dst_port_translation]" => "%{[netflow][l4_dst_port]}"
}
}
}
translate {
dictionary_path => '/etc/logstash/port_translation.yaml'
field => "[netflow][l4_dst_port]"
destination => "[netflow][l4_dst_port_translation]"
}
dns {
action => 'replace'
reverse => "[netflow][ipv4_dst_host]"
}
dns {
action => 'replace'
reverse => "[netflow][ipv4_src_host]"
}
}
output {
if [type] == "netflow" {
elasticsearch {
hosts => localhost
index => "netflow-%{+YYYY.MM.dd}"
}
}
}