mutate

mutate filter allows to perform general mutations on fields. You can rename, remove, replace, and modify fields in your event.

Synopsys

mutate {
}

Available settings

Setting Type Info Default value
add_field hash {}
add_tag array []
convert hash {}
gsub array []
join hash {}
lowercase array []
merge hash {}
remove_field array []
remove_tag array []
rename hash {}
replace hash {}
split hash {}
strip array []
update hash {}
uppercase array []
remove_all_but array []

Details

add_field

  • Value type is hash
  • Default value is {}
  • If this filter is successful, add any arbitrary fields to this event.

    add_tag

  • Value type is array
  • Default value is []
  • If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

    convert

  • Value type is hash
  • Default value is {}
  • Convert a field’s value to a different type, like turning a string to an integer. If the field value is an array, all members will be converted. If the field is a hash, no action will be taken. If the conversion type is boolean, the acceptable values are: True: true, t, yes, y, and 1 False: false, f, no, n, and 0 If a value other than these is provided, it will pass straight through and log a warning message. Valid conversion targets are: integer, float, string, and boolean.

    gsub

  • Value type is array
  • Default value is []
  • Convert a string field by applying a regular expression and a replacement. If the field is not a string, no action will be taken. This configuration takes an array consisting of 3 elements per field/substitution. Be aware of escaping any backslash in the config file.

    join

  • Value type is hash
  • Default value is {}
  • Join an array with a separator character. Does nothing on non-array fields

    lowercase

  • Value type is array
  • Default value is []
  • Convert a value to its lowercase equivalent

    merge

  • Value type is hash
  • Default value is {}
  • Merge two fields of arrays or hashes. String fields will be automatically be converted into an array

    remove_field

  • Value type is array
  • Default value is []
  • If this filter is successful, remove arbitrary fields from this event.

    remove_tag

  • Value type is array
  • Default value is []
  • If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax

    rename

  • Value type is hash
  • Default value is {}
  • Rename key on one or more fields

    replace

  • Value type is hash
  • Default value is {}
  • Replace a field with a new value. The new value can include %{foo} strings to help you build a new value from other parts of the event

    split

  • Value type is hash
  • Default value is {}
  • Split a field to an array using a separator character. Only works on string fields

    strip

  • Value type is array
  • Default value is []
  • Strip whitespace from processors. NOTE: this only works on leading and trailing whitespace

    update

  • Value type is hash
  • Default value is {}
  • Update an existing field with a new value. If the field does not exist, then no action will be taken

    uppercase

  • Value type is array
  • Default value is []
  • Convert a value to its uppercase equivalent

    remove_all_but

  • Value type is array
  • Default value is []
  • remove all fields, except theses fields (work only with first level fields)

    Full configuration blueprint

    Expand me...