In this tutorial, I will show you how to add a new field in Logstash with different examples that can be a case you are looking for.
In general, we will use the mutate filter plugin with the add_field option to create a new field in Logstash.
Contents
- Adding a New Field in Logstash
- Adding a New Field Concatenated from Multiple Fields in Logstash
- Adding a New Field Based on Condition in Logstash
- Conclusion
Adding a New Field in Logstash
To add a new field in Logstash, we can use the add_field option in the mutate filter. The syntax is as follows:
input {
# ...
}
filter {
mutate {
add_field => {
"field" => "value"
"another_field" => "another value"
}
}
}
output {
# ...
}For example, I will use the following sample log and add two more fields age, phone_number, gender.letter and gender.full:
{
"name": "Minh Vu",
"location": "Viet Nam"
}To add age, phone_number, gender.letter and gender.full, I will use the following Logstash config:
input {
# ...
}
filter {
mutate {
add_field => {
"age" => 21
"phone_number": "0987654321"
"[gender][letter]" => "M"
"[gender][full]" => "Male"
}
}
}The result will be:
{
"name": "Minh Vu",
"location": "Viet Nam",
"age": 21,
"phone_number": "0987654321",
"gender": {
"letter": "M",
"full": "Male"
}
}Adding a New Field Concatenated from Multiple Fields in Logstash
The add_field option also allows us to access the values of existing fields, so that we can create the combination of existing fields and assign to a new field.
To access the value of a field, you can use the % operator with that field name like this:
# ...
filter {
mutate {
add_field => {
"field" => "%{current_field}"
"some_field" => "%{[some][nested][field]}"
}
}
}
# ...For example, I want to combine my information above into a new field csv that is separated by a comma, I can use the following config:
# ...
filter {
mutate {
add_field => {
"csv" => "%{name},%{age},%{phone_number},%{location},%{[gender][letter]}"
}
}
}
# ...The result will be:
{
"name": "Minh Vu",
"location": "Viet Nam",
"age": 21,
"phone_number": "0987654321",
"gender": {
"letter": "M",
"full": "Male"
},
"csv": "Minh Vu,21,0987654321,Viet Nam,M"
}Adding a New Field Based on Condition in Logstash
To add a field with some condition, you can use the mutate filter with an if phrase.
The config is as follows:
# ...
filter {
if some_condition {
mutate {
add_field => {
"field" => "value"
}
}
}
}For example, I want to add a field adult based on the condition: returns true if age > 18, returns false otherwise.
I will use the following config to add that adult field:
# ...
filter {
if [age] > 18 {
mutate {
add_field => {
"adult" => "true"
}
}
} else {
mutate {
add_field => {
"adult" => "false"
}
}
}
}{
"name": "Minh Vu",
"location": "Viet Nam",
"age": 21,
"phone_number": "0987654321",
"gender": {
"letter": "M",
"full": "Male"
},
"csv": "Minh Vu,21,0987654321,Viet Nam,M",
"adult": "true"
}Conclusion
In this tutorial, I have shown you how to add a new field in Logstash using the mutate filter with the add_field option.
To recap, there are 3 common cases to add a new field in Logstash:
- Adding a new field with a static value.
- Adding a new field by combining existing fields.
- Adding a new field based on a condition.
Hope you find this tutorial helpful. If you have any questions, feel free to leave a comment below. Thank you for reading!
Comments
Lamp
Apr 03, 2024
thanks a lot