Translate results in incorrect (surprise) value

cawoodm · March 29, 2018, 9:22am

We have syslog input events with severity 6 which we want to map to priority 1:

translate {
		field => "severity"
		destination => "priority"
		dictionary => {
			"0" => 5
			"1" => 4
			"2" => 3
			"3" => 3
			"4" => 2
			"5" => 1
			"6" => 1
			"7" => 0
		}
	}
	translate {
		field => "severity"
		destination => "type"
		dictionary => {
			"0" => "ERROR"
			"1" => "ERROR"
			"2" => "ERROR"
			"3" => "ERROR"
			"4" => "WARNING"
			"5" => "INFO"
			"6" => "INFO"
			"7" => "DEBUG"
		}
	}

The resulting priority (14) is incorrect and we can't understand where it's coming from:

{
	"severity" => 6,
	"type" => "INFO",
	"priority" => 14,
	"facility" => 1,
	"severity_label" => "Informational",
	"timestamp" => 2018-03-29T09:15:50.000Z
}

Logstash 6.2.2 Windows

Christian_Dahlqvist · March 29, 2018, 9:39am

Does that event perhaps already have the priority field set? As you have not specified the override parameter in your translate filter, the translation would not overwrite it.

cawoodm · March 29, 2018, 9:58am

By Jove you're right! Thank you sir!

I keep stumbling over this one. IMO the default should be override => true but I guess that ship has sailed.

system · April 26, 2018, 9:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.