Want to Combine Field Values into New Field Value

bhutchinson · September 2, 2015, 10:37pm

The useragent filter creates new field names in elasticsearch like "name", "major version", "minor version". Name is the browser name. Major version is the browser major version. Minor is the browser minor version.

I want to create a new field named "browser" that is a combination (conctenation) of the field values from name, major version, and minor version.

Example
My new "browser" field might have a value of "Internet Explorer 10.0", or "Google Chrome XX.X" or "Firefox XX.X"

What filter do I need to write in my logstash.conf to create the new "browser" field and populate the "browser" field with the concatenated value?

magnusbaeck · September 3, 2015, 3:41am

mutate {
  add_field => {
    "new_field" => "%{oldfield1} %{oldfield2}"
  }
  remove_field => ["oldfield1", "oldfield"]
}

This assumes that add_field is evaluated before remove_field but I'm pretty sure that's the case.

bhutchinson · September 3, 2015, 2:00pm

How do I add a period between the "major version" value and the "minor version" value?

I want to concatenate 3 fields into on field value. The new field will contain the 3 field values along with one space and one period.

Example
browser name (space) major version (period) minor version
Internet Explorer 10.0
Internet Explorer 9.0
Google Chrome XX.X
Mozilla Firefox XX.X

magnusbaeck · September 3, 2015, 2:06pm

The "%{oldfield1} %{oldfield2}" string above is a template where %{oldfield} will be replaced with the contents of the oldfield field. The rest of the string will be untouched. Hence, if you want a period between the two field values just put a period instead of a space. Such strings can also include more than two field references.