rename fields after useragent plugin #139

moix · 2019-08-12T11:22:04Z

Hello,
I'm applying a pipeline for an apm setup where I'm using two filters, geoip and useragent at the moment.

input {
  beats {
    port => 5044
  }
}

filter {
  geoip {
    source => [ "[context][request][socket][remote_address]" ]
    target => "user.geoip"
  }
  useragent {
    source => [ "[user_agent][original]" ]
    target => "user_agent.fields"
  }
}

So I got something like following for the user agent for example:

    "user_agent": {
      "original": "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0"
    },
. . .
    "user_agent.fields": {
      "minor": "0",
      "major": "64",
      "os": "Fedora",
      "build": "",
      "name": "Firefox",
      "os_name": "Fedora",
      "device": "Other"
    },

which is fine, but the index definition of apm is slightly different:

      "user_agent": {
        "dynamic": false,
        "properties": {
          "device": {
            "properties": {
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "name": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "original": {
            "fields": {
              "text": {
                "norms": false,
                "type": "text"
              }
            },
            "ignore_above": 1024,
            "type": "keyword"
          },
          "os": {
            "properties": {
              "family": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "full": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "kernel": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "platform": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "version": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }

so I thought on performing a move, for example useragent os_name should be renamed with:

  mutate {
    rename => { "[user_agent][fields][os_name]" => "[user_agent][os][name]" }
  }

however this is not working. I'm guessing that filters are not applied in order maybe, son when mutate tries to rename, the user_agent hasn't run yet?

thanks

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rename fields after useragent plugin #139

rename fields after useragent plugin #139

moix commented Aug 12, 2019 •

edited

Loading

rename fields after useragent plugin #139

rename fields after useragent plugin #139

Comments

moix commented Aug 12, 2019 • edited Loading

moix commented Aug 12, 2019 •

edited

Loading