Why does translate not work here?

cawoodm · March 8, 2018, 1:38pm

We would like to prioritize log messages of type WARN if they have a certain category.
So we receive {"type": "WARN", "category": "DefaultEmailService", "priority": 2}
and would like to output: {"type": "WARN", "category": "DefaultEmailService", "priority": 3}

The following works fine:

if [category] == "DefaultEmailService" and [type] == "WARN" {
	mutate { update => {"priority" => 3} }
}

We think however that we may have many such rules and that translate would be more elegant:

if [type] == "WARN" {
	translate {
		field => "category"
		destination => "priority"
		dictionary => {
			"DefaultEmailService" => 3
		}
	}
}

This does not update the priority field to 3 however. Why not?

Christian_Dahlqvist · March 8, 2018, 2:59pm

Try setting the override flag to true as the destination field already exists in the document.

cawoodm · March 16, 2018, 3:01pm

Yep, that did it thanks!

I guess I should RTM

cawoodm · March 27, 2018, 9:47am

Just noticed that translate does not like comments inside the dictionary.

The following totally craps out:

dictionary => {
	"DefaultEmailService" => 3     # Email not sent is an error
	"BcpSapPricingBackendERP" => 1 # Ignore
}

:ConfigurationError", :message=>"Expected one of #, {, } at ...

system · April 24, 2018, 9:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.