Updated March 15, 2023
Introduction to Logstash add field
Logstash add field is the functionality enabled by the mutate filter, which supports the operation of modifying, renaming, adding, and deleting the fields in Logstash. The add field filter accepts the value of hash type and, by default, when not specified, contains the value of {}.
In this article, we will learn about how we can add the new fields inside the event in Logstash and also give a deeper look into it by studying its subtopics which include what is Logstash add field, how to do Logstash add field output, Logstash add field configuration, Logstash add field examples and Conclusion about the same.
What is Logstash add field?
Logstash add_field is the configuration option available for the filter plugins, which is supported by all the plugins that can be used in the filter section as it is one of the standard options. This configuration option enables us to add the new field to the event as per the requirement, which can contain a hash value. Along with that, we can also set the %sample string where the sample can be any value from the value of event configurations so that the field may contain the part value of the respective event.
When no value is specified to the add_field configuration option, the default value considered is the {} blank value enclosed inside the curly braces of parenthesis. When the filter works successfully, we will use a mutate plugin inside it where we can add the field which contains any arbitrary value and name for the specific event. The names that can be assigned to the field can have any part of the event included in it by using %{name of field}, and also, it can have any dynamic name set to its respective field.
Along with that, we can also use the replace configuration option supported by the mutate filter, which will help to change the existing value of the field or even add a new field in case the specified field does not exist inside the event. For this configuration option, we can also give the value to the field that can be a simple string value, or we can also set the other parts of the event as the value to the field using the %{any specific part} string value. We will be seeing an example of this as well.
How does Logstash add field output work?
The output of the Logstash add field configuration is the creation of the specified fields containing mentioned values inside it for the particular event in Logstash. These fields can be further considered for performing various operations depending on whether the field exists or has specific values. The value of the field can also be changed additionally. The output section of the configuration field should contain the code to display the fields and their values. In this way, we can check the creation of the field.
Logstash add field configuration
Logstash add field is a configuration option, one of the standard options supported by all the filter plugins available in Logstash. One filter plugin named mutate the new field and rename, changes, or delete the existing field. The add_field is the name of the setting for the configuration that you should use, which accepts the value of hash format as the input value. This configuration options specification is entirely optional and is not a required configuration. We should specify the name of the field, and further, we need to pass the value to it by using the => symbol, and further, the value should be enclosed between the curly braces. Using this configuration option, we can also go for adding multiple fields inside the event.
Logstash add field examples
Example #1
Let us consider one example where we will be adding a field named educba and the attached value containing part of the event, which will have the value as “It is a sample snippet that shows this appended message as value to field localhost” when run with the environment where the name of the host is localhost. The code snippet will be as shown below.
filter {
mutate {
add_field => { "educba%{sample_educba_field}" => "It is a sample snippet that shows this appended message as value to field %{name_of_host}" }
}
}
The output of the above code snippet is as shown below –
Example #2
Now, we will add multiple fields inside the event by making the use of the same add_field configuration that too only once. We will be adding the fields named educba and some appended names and a field named one_more_field_to_add which will contain a fixed value and the manipulated attached value for the other field having the name of host attached during run time. The code snippet will look as shown below –
filter {
mutate {
add_field => {
"educba%{sample_educba_field}" => "It is a sample snippet that shows this appended message as value to field %{name_of_host}"
"one_more_field_to_add" => "any random value"
}
}
}
The output of the above code snippet is as shown below –
Example #3
Using the replace configuration option, we can go for modifying the field’s value if it already exists, or we can even add another field to the event if it does not exist by following the same format. Consider the scenario where we have one field named educba sample field, which we will create using replace as it does not exist in Logstash and will be assigning the value to it “localhost: appended information to attach” using the below code snippet.
filter {
mutate {
replace => { "educba_sample_field" => "%{name_of_host}: appended information to attach" }
}
The output of the above code snippet is as shown below –
Conclusion
The Logstash add field is the configuration option setting that helps in adding one or more fields in the Logstash event pipeline.
Recommended Articles
This is a guide to Logstash add a field. Here we discuss the definition, What is Logstash add field, How does Logstash add field output, examples with code implementation. You may also have a look at the following articles to learn more –
