Menu
What is the difference between add_field and replace, when configuring Logstash?
Semantically, they might expected to do different things, but the current manual does not have anything to say about how the two functions differ depending on the pre-existance of the relevant fields.
Example 1:
filter {
mutate {
add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
}
}
The manual does not say what the expected behavour is if the field already exists. Is the behaviour the same as replace?
Example 2:
filter {
mutate {
replace => { "message" => "%{source_host}: My new message" }
}
}
Once again the manual does not say what the expected behaviour is if the field does not already exist. Is it the same as add_field?
317
The Logstash add field is the configuration option setting that helps in adding one or more fields in the Logstash event pipeline. This is a guide to Logstash add a field.
A Field Reference Literal is a sequence of one or more Path Fragments that can be used directly in Logstash pipeline conditionals without any additional quoting (e.g. [request], [response] [status] ). In Logstash 7.x and earlier, a quoted value (such as ["foo"]) is considered a field reference and isn’t treated as a single element array.
To further differentiate between the log types, we need to make use of the Logstash Filter. You can access your Logstash filters from the dashboard for any of your Logit Stacks by choosing View Stack Settings > Logstash Pipelines. You can use Logstash to query log types in your Logstash filter and then perform actions based upon that condition.
The @metadata field edit In Logstash 1.5 and later, there is a special field called @metadata. The contents of @metadata will not be part of any of your events at output time, which makes it great to use for conditionals, or extending and building event fields with field reference and sprintf formatting.
Semantically, they might seem equivalent but they are different as add_field might not always kick in.
replace is part of the mutate filter and if you're looking at the source code of that plugin, you'll see that replace will always set a field even if it doesn't exist:
def replace(event)
@replace.each do |field, newvalue|
event.set(field, event.sprintf(newvalue))
end
end
add_field, however, is a generic configuration of any input and filter plugins and you'll often see in the documentation of some specific filter plugins something like this (e.g. for the grok filter):
If this filter is successful, add any arbitrary fields to this event. [...]
This configuration is inherited from LogStash::Filters::Base, which is the superclass of all filter plugins. This means that in certain filter plugins, in order for add_field to actually add the field, the filter must be successful, otherwise no fields is added.
So in your case, mutate/replace will always set a field even if it doesn't exist, and mutate/add_field will add the specified fields after running all the operations of the mutate filter.
So if you have a mutate filter that does some specific operation like gsub and fails for some reason, no fields will be added as a result.
92
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
