Change a specific "Value" inside a "Field" in Logstash Config file-CodePudding

I want to change a value inside a field of logstash config file.

For my case my logstash config file is like this..

# Read input from filebeat by listening to port 5044 on which filebeat will send the data
input {
    beats {
        port => "5044"
    }
}

filter {
    ######################################### For Solr ############################################## 
    if "solr" in [log][file][path] {
        grok {
            match => {"message" => "%{DATA:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{GREEDYDATA:log-message}"}
            #remove_field => ["message"]
            #add_field => {"message" => "%{log-message}"}
        }
    }
    
    ############################################## For Server ############################################## 
    if "server.log" in [log][file][path] {
        grok {
            match => {"message" => "%{DATA:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}\[%{DATA}\]%{SPACE}\(%{DATA:thread}\)%{SPACE}%{GREEDYDATA:log-message}"}
            #match => { "[log][file][path]" => "%{GREEDYDATA}/%{GREEDYDATA:jboss-log}.log"}
            #remove_field => ["message"]
            #add_field => {"message" => "%{log-message}"}
        } 
        
    }
    
    ############################################## For Mongo ############################################## 
    else if "mongos" in [log][file][path] or "config" in [log][file][path] or "shard" in [log][file][path] or "metrics_" in [log][file][path]{
        grok {
            match => {"message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA:log-message}"}
            #remove_field => ["message"]
            #add_field => {"message" => "%{log-message}"}
        }
    }
    ############################################## For mongo.log #####################################################
    else if "mongo" in [log][file][path] {
        grok {
            match => {"message" => "\[%{DATA:timestamp}\]%{SPACE}%{LOGLEVEL:log-level}%{SPACE}\[%{DATA:class}\]%{SPACE}%{GREEDYDATA:log-message}"}
            #remove_field => ["message"]
            #add_field => {"message" => "%{log-message}"}
        }
    }
    ############################################## For Kafka ############################################## 
    else if "kafka" in [log][file][path] {
        grok {
            match => {"message" => "\[%{DATA:timestamp}\]%{SPACE}%{LOGLEVEL:log-level}%{SPACE}\[%{DATA:class}\]%{SPACE}%{GREEDYDATA:log-message}"}
            #remove_field => ["message"]
            #add_field => {"message" => "%{log-message}"}
        }
    }
    
    ############################################## For mongodb_output & mongodb_exception ############################################## 
    else if "mongodb_exception" in [log][file][path] or "mongodb_output" in [log][file][path]{
        grok {
            match => {"message" => "\[%{DATA:timestamp}\]%{SPACE}%{LOGLEVEL:log-level}%{SPACE}\[%{DATA:class}\]%{SPACE}%{GREEDYDATA:log-message}"}
            #remove_field => ["message"]
            #add_field => {"message" => "%{log-message}"}
        }
    }
    
    ############################################## Other Logs ##############################################
    else {
        grok {
            #match => {"message" => "\[%{MONTHDAY:day}%{SPACE}%{MONTH:month}%{SPACE}%{YEAR:year},%{SPACE}%{TIME:time}\]%{SPACE}%{LOGLEVEL:log-level}%{SPACE}\[%{DATA:class}\]\[%{DATA:thread}\]%{SPACE}%{GREEDYDATA:log-message}"}
            match => {"message" => "\[%{DATA:timestamp}\]%{SPACE}%{LOGLEVEL:log-level}%{SPACE}\[%{DATA:class}\]\[%{DATA:thread}\]%{SPACE}%{GREEDYDATA:log-message}"}
            #remove_field => ["message"]
            #add_field => {"message" => "%{log-message}"}
        }
    }
   
   
   
   ################################################################
   
   grok {
        match => { "[log][file][path]" => ["%{GREEDYDATA}/%{GREEDYDATA:component}.log" , "%{PATH}\\%{GREEDYDATA:component}\_%{GREEDYDATA}.log" ]}
   }
   
   if [component] =~ "^server" {
        mutate {
            rename => { "%{server}" => "renamed_server" }
        }   
   }
       
} 

output {
    
    # sending properly parsed log events to elasticsearch
    elasticsearch {
            hosts => ["localhost:9200"]
    }
}

I am getting a value of component field as server but I want to change the value of component field server to renamed_server.

I have tried the above but I am not getting any output.

Please help me to find out the required solution.

CodePudding user response：

I guess the problem is with this block:

if [component] =~ "^server" {
  mutate {
    rename => { "%{server}" => "renamed_server" }
  }   
}

.. since it doesn't do what you desire, i.e.

I want to change the value of component field server to renamed_server.

rename mutate configuration doesn't change values, it renames fields.

If you want to change value, you can use gsub. And since you want to change the exact value, maybe you can get by without the conditional altogether. E.g.:

    mutate {
      gsub => [
        # replace `server` value with `renamed_server` in component field
        "component", "^server$", "renamed_server"
      ]
    }

CodePudding user response：

I have modified this field with gsub it also worked as well.

mutate {
        gsub => [
            "component", "^server$", "renamed_server",
            "component", "^[0-9]{3}.*[0-9]{3}.*[0-9]{2}.*[0-9]{2}.*[0-9]{5}.*output$" , "client_output"
        ]
}