Is it not possible to use mutate filter after kv filter on fields created by the kv filter?
I have key value pairs which get divided by a kv filter. this is working great, the new fields appears on discover menu in kibana.
If i add a mutate filter on the new fields, this seems to be ignored.
Example: mutate { rename => ["dst" , "destination.ip"] }
Try mutate { rename => ["dst" , "[destination][ip]"] }
thx for answer.
behavior is the same with brackets.
strange is that it is working for action field with syntax mutate { rename => ["action" , "event.action"] }
additional info: action is the first key value pair in the data blob
This would be easier to debug if you posted the ruby debug output of an example event.
Are you sure that the field is actually called "dst" and not " dst" or something like that? (That would explain why the first one works and could easily be solved by the trim_key option in the kv filter)
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.