Search code examples
logstashkibanafilebeat

Logstash Filter not working when something has a period in the name

So I need to write a filter that changes all the periods in field names to underscores. I am using mutate, and I can do some things and not other things. For reference here is my current output in Kibana.

Kibana Data

See those fields that say "packet.event-id" and so forth? I need to rename all of those. Here is my filter that I wrote and I do not know why it doesn't work

filter {
    json {
        source => "message"
    }
    mutate {
        add_field => { "pooooo" => "AW CMON" }
        rename => { "offset" = "my_offset" }
        rename => { "packet.event-id" => "my_packet_event_id" }
    }
}

The problem is that I CAN add a field, and the renaming of "offset" WORKS. But when I try and do the packet one nothing changes. I feel like this should be simple and I am very confused as to why only the one with a period in it doesn't work.

I have refreshed the index in Kibana, and still nothing changes. Anyone have a solution?

Solution

  • When they show up in dotted notation in Kibana, it's because there is structure to the document you originally loaded in json format.

    To access the document structure using logstash, you need to use [packet][event-id] in your rename filter instead of packet.event-id.

    For example:

    filter {
    mutate { 
        rename => { 
            "[packet][event-id]" => "my_packet_event_id" 
        }
    }
}