I'm trying to do is remove the "host" field which is created by the "tcp" input plugin. I can not do: mutate { rename => { "host" => "[source][ip]" } }
because I use ECS, and I have fields such as: [host][hostname] . Have any ideas?
What does host look like if you use
output { stdout { codec => rubydebug } }
If you have fields such as [host][hostname] then I would expect the event.set that the tcp plugin uses to change [host] to an array. In which case you can use mutate+rename.
mutate {
rename => {
"host" => "[source][ip]"
"port" => "[source][port]"
"Hostname" => "[host][hostname]"
}
}
It's ok but when the field [host] [hostname] comes right away I can't do:
mutate {
rename => {
"host" => "[source][ip]"
}
}
[2019-12-10T15:23:55,691][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"undef-2019.12.10", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x70d95d10], :response=>{"index"=>{"_index"=>"index-2019.12.10", "_type"=>"_doc", "_id"=>"l6018G4BcoNUUJv10FHx", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [host] tried to parse field [host] as object, but found a concrete value"}}}}
I would like the field [host] to be immediately named as [source] [ip]
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.