Hello,
I think I've found a rather weird behavior of translate plugin (logstash 5.4).
I'm looking for a match in a first dictionary; if no match is found, I need to use a second dictionary.
The second translation only works if I remove the destination field (as in the example below).
Could someone check if this is correct, or if I've overlooked something?
filter {
. . .
translate {
field => "Source_Ip"
destination => "src_translation"
exact => true
fallback => "not_found"
dictionary_path => "${DICTS}/first_dict.yml"
}
if ( [src_translation] =~ /not_found/ ) {
# it only works removing destination field
mutate {remove_field => ["src_translation"]}
translate {
field => "Source_Ip"
destination => "src_translation"
exact => true
fallback => "not_found"
dictionary_path => "${DICTS}/second_dict.yml"
}
}
. . . }