Hi,
Logstash version: 6.2.4 (RPM)
What I'm trying to do is remove the "host" field which is created by the "tcp" input plugin. The reason I'm doing this is to use it to contain the host hash as specified in the ECS (https://github.com/elastic/ecs/blob/master/schemas/host.yml). I'm essentially attempting to replace a string with a hash. No matter what I try, once I've removed the "host" field, I don't seem to be able to create it again.
I would have though this would be extremely simple. Here's a (cut-down) snippet of my code:
input {
tcp {
port => 8514
}
}
filter {
json {
source => "message"
target => "tmp"
}
mutate { #Removing the old host fields created by the 'tcp' input.
remove_field => [ "port" ]
remove_field => [ "host" ]
}
mutate{ #Creating the new one.
rename => { "[tmp][host.name]" => "[host][name]"}
}
}
Note that the "message" field that is arriving out of the tcp input contains JSON, and that inside that JSON, there's a field called "host.name".
If I rename the [tmp][host.name] to something other than [host][name], it works. However, if I try to rename it to [host][name], Logstash appears to just ignore it (and the field gets lost). Once a field has been removed with "remove_field" can it ever be created again? If not, should the tcp input filter be updated to not interfere with the use of the ECS? Or is something else going on here?
Thanks for your time.
Nick