Use filebeat processor to concatenate string

I have a situation where a customer has a custom syslog file for the Citrix ADC Netscaler. I would like to use the fleet integration for this but it doesn’t support the header format they have. I would like to modify that header and rewrite it so it will ingest cleanly. I will need to use the filebeat processors through fleet do do this.

I have tried any number of add fields etc, but cannot get the concatenated string to work.

A simplified example would be a logline that looks like:

source message: field1-field2-field3

target message: field3-field2-field1

I can easily dissect this into parts, but cannot get a processor to work that cats the string back together. Suggestions?

• • dissect:
    tokenizer: "%{f1}-$[f2}-%{f3}"
    field: "message"
    overwrite_keys: true

  • add_fields:
    target:’’
    fields:
    combined_string: "{f3}-{f2}-{f1}"

Hello @mistrhanky1

You can try using script processor or ingest pipeline shared in this post :

https://discuss.elastic.co/t/how-to-concatenate-two-fields-using-add-fields-processor-in-filebeat/306488/15

processors:
      - dissect:
          tokenizer: "%{f1}-%{f2}-%{f3}"
          field: message
          target_prefix: ""
          overwrite_keys: true

      - script:
          lang: javascript
          source: >
            function process(event) {
              var f1 = event.Get("f1");
              var f2 = event.Get("f2");
              var f3 = event.Get("f3");

              if (f1 && f2 && f3) {
                event.Put("message", f3 + "-" + f2 + "-" + f1);
              }
            }

Thanks!!

This did the trick. Thank You!