Escape hyphen in fields for logstash

Question

I have a problem with logstash parsing, I need to extract a field separated by hyphen:

if "[payload][text][code][session-id]" {
  mutate {
    add_field => { "session-id" => "%{[payload][text][code][session-id]}" }
  }
}

the conditional is working because the quotes, but when I run the filter, it returns:

t session-id: %{[payload][text][code][session-id]}

and what I expect is:

t session-id: HK5wfPQgzkKHmgzVF

how I can scape the hypens in the payload field?

Answer 1

Your conditional is wrong, putting the field name between double quotes will make it a string and it will always be true, so your mutate filter will always run and add the field session-id with the content of the field [payload][text][code][session-id] , if the field does not exist, the string %{[payload][text][code][session-id]} will be added into session-id as the value of the field.

Your conditional should be if [payload][text][code][session-id] without double quotes.

You can reproduce this behavior with the following test pipeline

input {
    generator {
        message => "HK5wfPQgzkKHmgzVF"
        count => 1
    }
}
filter {
    dissect {
        mapping => {
            "message" => "%{[payload][text][code][session-id]}"
        }
    }
    if "[payload][text][code][session-id]" {
        mutate {
            add_field => { "session-id" => "%{[payload][text][code][session-id]}"}
        }
    }
}
output {
    stdout { }
}

Running this pipeline will give you the field session-id with the value HK5wfPQgzkKHmgzVF because the field [payload][text][code][session-id] exists and your conditional is always true, if you change the name of the field to [payload][text][code][session-id-test] in the dissect block and run the pipeline again, the value of session-id will now be %{[payload][text][code][session-id]} .

Remove the double quotes from the conditional and it will only be true if the field [payload][text][code][session-id] really exists.