更改 logstash 中的动态字段值

Question

I'm using a filter in logstash. I wanna change value of a dynamic field in logstash. I'm using below codes in my filter:

if [state_ls_keyvalue] == "False" {
            
    mutate{
        add_field => {"%{field_ls_keyvalue}" => "%{enrich_column}"}
    }

} else {
     mutate{
       remove_field => ["%{field_ls_keyvalue}"]
     }

     mutate{
       add_field => {"%{field_ls_keyvalue}" => "%{enrich_column}"}
     }
}

but it does not work. how shall I handle it?

Answer 1

Both the remove_field and add_field sprintf the field name.

output { stdout { codec => rubydebug { metadata => false } } }
input { generator { count => 1 lines => [ '{ "field_ls_keyvalue": "a", "a": "c", "enrich_column": "d" }' ] codec => json { } } }
filter {
    mutate { remove_field => [ "%{field_ls_keyvalue}" ] }
    mutate { add_field => { "%{field_ls_keyvalue}" => "%{enrich_column}" } }
}

will produce

"a" => "d",

If that is not happening for you then it suggests the conditional test of [validation] is evaluating to false.

Answer 2

The problem is related to type of field in elasticsearch. we can handle with mapping and change it.

using only add_field , the value of new field appends into old one.

using remove_field and then add_field , replace the value of new field to old one.