In this tutorial, I will show you how to add a new field in Logstash with different examples that can be a case you are looking for.
In general, we will use the mutate filter plugin with the add_field option to create a new field in Logstash.
Contents
- Adding a New Field in Logstash
- Adding a New Field Concatenated from Multiple Fields in Logstash
- Adding a New Field Based on Condition in Logstash
- Conclusion
Adding a New Field in Logstash
To add a new field in Logstash, we can use the add_field option in the mutate filter. The syntax is as follows:
input { # ... } filter { mutate { add_field => { "field" => "value" "another_field" => "another value" } } } output { # ... }
For example, I will use the following sample log and add two more fields age, phone_number, gender.letter and gender.full:
{ "name": "Minh Vu", "location": "Viet Nam" }
To add age, phone_number, gender.letter and gender.full, I will use the following Logstash config:
input { # ... } filter { mutate { add_field => { "age" => 21 "phone_number": "0987654321" "[gender][letter]" => "M" "[gender][full]" => "Male" } } }
The result will be:
{ "name": "Minh Vu", "location": "Viet Nam", "age": 21, "phone_number": "0987654321", "gender": { "letter": "M", "full": "Male" } }
Adding a New Field Concatenated from Multiple Fields in Logstash
The add_field option also allows us to access the values of existing fields, so that we can create the combination of existing fields and assign to a new field.
To access the value of a field, you can use the % operator with that field name like this:
# ... filter { mutate { add_field => { "field" => "%{current_field}" "some_field" => "%{[some][nested][field]}" } } } # ...
For example, I want to combine my information above into a new field csv that is separated by a comma, I can use the following config:
# ... filter { mutate { add_field => { "csv" => "%{name},%{age},%{phone_number},%{location},%{[gender][letter]}" } } } # ...
The result will be:
{ "name": "Minh Vu", "location": "Viet Nam", "age": 21, "phone_number": "0987654321", "gender": { "letter": "M", "full": "Male" }, "csv": "Minh Vu,21,0987654321,Viet Nam,M" }
Adding a New Field Based on Condition in Logstash
To add a field with some condition, you can use the mutate filter with an if phrase.
The config is as follows:
# ... filter { if some_condition { mutate { add_field => { "field" => "value" } } } }
For example, I want to add a field adult based on the condition: returns true if age > 18, returns false otherwise.
I will use the following config to add that adult field:
# ... filter { if [age] > 18 { mutate { add_field => { "adult" => "true" } } } else { mutate { add_field => { "adult" => "false" } } } }
{ "name": "Minh Vu", "location": "Viet Nam", "age": 21, "phone_number": "0987654321", "gender": { "letter": "M", "full": "Male" }, "csv": "Minh Vu,21,0987654321,Viet Nam,M", "adult": "true" }
Conclusion
In this tutorial, I have shown you how to add a new field in Logstash using the mutate filter with the add_field option.
To recap, there are 3 common cases to add a new field in Logstash:
- Adding a new field with a static value.
- Adding a new field by combining existing fields.
- Adding a new field based on a condition.
Hope you find this tutorial helpful. If you have any questions, feel free to leave a comment below. Thank you for reading!
Comments
Lamp
Apr 03, 2024
thanks a lot