Unable to include runtime log data in 'mutate' filter plugin

ankitdevnalkar · December 18, 2020, 4:43pm

I am trying to fetch cloudflare log data via API and want add a new field such as actor.email in index.

My end goal is to add a new field in index having data in meaningful sentence like A user someone@email.com(actor.email) is removed from organisation

 input {
      http_poller {
        urls => {
          test2 => {
            method => get
            url => "https://api.cloudflare.com/client/v4/user/audit_logs"
            headers => {
                "X-Auth-Email" => "my@redacted.com"
                "X-Auth-Key" => "API_key"
                "Content-Type" => "application/json"
            }
         }
        }
            schedule => { cron => "* * * * * UTC"}
            codec => "json"
      }
    }
    filter {
    split
                    {
                            field => "result"
                    }
          mutate {
            add_field => { "foo_%{somefield}" => "Hello world, from %{email}" }
          }
    }
    output {
            stdout { codec => rubydebug }
    }

Here is my output where %{email } should be populated with email address.
Can anyone help ?

aaron-nimocks · December 18, 2020, 4:49pm

Try %{[result][email]}?

ankitdevnalkar · December 18, 2020, 4:53pm

hey @aaron-nimocks, I tried that. no success.

aaron-nimocks · December 18, 2020, 5:11pm

I think this is similar to what you are seeing as data and the below works.

input {
  generator {
    lines => [
      '{ "results":[ { "email": "a@a.com" }, { "email": "b@b.com" }, { "email": "c@c.com" } ] }'
    ]
    count => 1
    codec => "json"
  }
}
filter {
  split
    {
      field => "results"
    }
  mutate {
    add_field => { "test" => "%{[results][email]}" }
  }    
}
output {
  stdout { codec =>  "rubydebug" }
}

Outputs

{
       "results" => {
        "email" => "a@a.com"
    },
      "@version" => "1",
          "host" => "Aarons-MBP.domain",
          "test" => "a@a.com",
      "sequence" => 0,
    "@timestamp" => 2020-12-18T17:06:06.753Z
}
{
       "results" => {
        "email" => "b@b.com"
    },
      "@version" => "1",
          "host" => "Aarons-MBP.domain",
          "test" => "b@b.com",
      "sequence" => 0,
    "@timestamp" => 2020-12-18T17:06:06.753Z
}
{
       "results" => {
        "email" => "c@c.com"
    },
      "@version" => "1",
          "host" => "Aarons-MBP.domain",
          "test" => "c@c.com",
      "sequence" => 0,
    "@timestamp" => 2020-12-18T17:06:06.753Z
}

ylasri · December 18, 2020, 5:13pm

As per your screenshot you should use

%{[result][actor][email]}?

aaron-nimocks · December 18, 2020, 5:15pm

%{[result][actor][email]}?

This is correct. I didn't see actor in your image.

ankitdevnalkar · December 18, 2020, 5:18pm

hey that worked. thanks buddy

system · January 15, 2021, 5:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.