Using field value from one filter logstash to another field

Hi everyone,

I have a question for you.
I use Filebeat (two different log file input) , Logstash Elastisearch and Kibana and I want to use a field value from a filter logstash conf file and use it on another field with the "mutate".
This is my logstash file:

input {
beats {
port => "5044"
}
}

filter {
if [fields][log_type] == "handler" {
grok {
match => {
"message" => [
"%{TIMESTAMP_ISO8601:timestamp} [%{WORD:threadid}] %{WORD:loglevel} - IP:%{IP:ip}; DOMAIN:%{GREEDYDATA:domain}; USER:%{WORD:user}; UserMessage: %{GREEDYDATA:UserMessage}"]
}
}
geoip {
source => "ip"
}
}
if [fields][log_type] == "example" {
grok {
match => {
"message" => [
"%{TIMESTAMP_ISO8601:timestamp}\s+[%{WORD:threadid}]\s+%{WORD:loglevel}\s+%{GREEDYDATA:logger}\s+-\s*%{GREEDYDATA:UserLogMessageExample}"
]
}
}
mutate {
add_field => { "ip" => "%{ip}" }
add_field => { "domain" => "%{domain}" }
add_field => { "user" => "%{user}" }
}
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost:9200" ]
}
}

I want to use the IP, user and domain value fields from the log_type "handler" into the log_type "example" with the mutate filter add_field.
I tried this but the mutate filter write "%{ip}" , "%{user}" and "%{domain}" and not the real values. So it's not working.
Can anyone help me?

Thanks in advance.
Regards.

That does not make sense. It says to set the [domain] field to the value of the [domain] field. So if the domain field exists it does nothing. If the domain field does not exist it will set it to "%{domain}".

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.