Minh Vu
Software Engineer
Hi 👋, I'm a software engineer specializing in backend systems, distributed systems, and scalable architecture. My blog shares practical tutorials based on 3+ years of experience. LeetCode 1756 (Top 10%). Actively seeking SDE roles — let's get in touch!
Leave a Comment
Receive Latest Updates 📬
Get every new post, special offers, and more via email. No fee required.
There are some basic options supported by all Logstash filter plugins that I often use to enrich the data.
For example, we can add a new field, remove an existing field, and more.
This tutorial will show you how to do that. Let's get started!
There are 7 options that are supported by all Logstash filter plugins, which means you can use them in any filter plugin.
In this tutorial, I will use the mutate filter plugin as an example, you can use any filter plugin based on your needs.
I will also use the following sample data for demonstration throughout this tutorial:
{ "message": "Minh Vu says hello to the world!", "status": 200, "timestamp": "2021-11-23T17:36:00Z" }
For the input and output part of the filter config, I will use this config to parse JSON lines log:
input { file { path => "/home/dminhvu/elastic/example.log" start_position => "beginning" sincedb_path => "/dev/null" codec => multiline { pattern => "\n" what => "next" } } } filter { # put the filter here } output { file { path => "/home/dminhvu/elastic/output.log" codec => "json_lines" } }
In Logstash, the add_field action is used to add a new field to the event.
The syntax to add a single field is as follows:
filter { mutate { add_field => { "new_field_name" => "new_field_value" } } }
To add multiple fields:
filter { mutate { add_field => { "new_field_name_1" => "new_field_value_1" "new_field_name_2" => "new_field_value_2" } } }
For example, we can add a new field fine with the value true to the event:
filter { mutate { add_field => { "fine" => "true" } } }
Using the above config will yield the result:
{ "fine": true, "message": "Minh Vu says hello to the world!", "status": 200, "timestamp": "2021-11-23T17:36:00Z" }
To remove a field from the event in Logstash, we can use the remove_field action.
The syntax is as follows:
filter { mutate { remove_field => [ "field_name" ] } }
To remove multiple fields:
filter { mutate { remove_field => [ "field_name_1", "field_name_2" ] } }
For example, we can remove the status field from the event:
filter { mutate { remove_field => [ "status" ] } }
Here is the result:
{ "message": "Minh Vu says hello to the world!", "timestamp": "2021-11-23T17:36:00Z" }
The add_tag action is used to add a tag to the event.
The syntax is as follows:
filter { mutate { add_tag => [ "tag_name" ] } }
To add multiple tags:
filter { mutate { add_tag => [ "tag_name_1", "tag_name_2" ] } }
To remove a tag from the event, we can use the remove_tag action.
The syntax is as follows:
filter { mutate { remove_tag => [ "tag_name" ] } }
To remove multiple tags:
filter { mutate { remove_tag => [ "tag_name_1", "tag_name_2" ] } }
The id action is used to set the ID of the plugin configuration, which is useful when you need to identify multiple plugins of the same type.
The syntax is as follows:
filter { mutate { id => "plugin_id" } }
The enable_metric action is used to enable or disable the metric collection for the plugin.
The syntax is as follows:
filter { mutate { enable_metric => true } }
The periodic_flush action is used to enable or disable periodic flush for the plugin.
The syntax is as follows:
filter { mutate { periodic_flush => true } }
In this tutorial, you have learned how to use 7 common options in all Logstash filter plugins.
These options are usually combined with other filter plugins to enrich the data. You can check the Related Posts section on the right to learn more about Logstash filter plugins.
Next.js SEO: The Complete Checklist to Boost Your Site Ranking
Next.js JSON-LD: How to Add Structured Data to Your Website
Logstash: How to Remove Field using Mutate Filter
Logstash Conditionals: Using if/else to Control Log Flow
Logstash: Add Field to Event with Mutate Filter
Comments
aida
Apr 01, 2024
easy to understand