Search code examples
logstash

Logstash - add new field by multi condition

Good afternoon. Logs from network devices are transferred to Logstash using syslog.

  beats {
        type => "filebeat_nginx_proxy_connect"
        port => 5044
  }
  syslog {
        type => "syslog"
        port => 5145
        host => "0.0.0.0"
 }
}

Then they get into elastic and are displayed in kibana введите сюда описание изображения

As you can see from the picture, the ip address of the device is displayed. I have a mapping of ip addresses of all devices and their sysname. How can I add a new field (for example, sysname) to the document that will display the device name. I tried using mutate (add_fields) and if conditions, but a lot of conditions are obtained since the number of devices is about 2500 thousand. Maybe I need to write my own filter for logstash. But I don't know how and where to look for information. Please help..

I tried using mutate (add_fields) and if conditions, but a lot of conditions are obtained since the number of devices is about 2500 thousand.

Solution

  • If you have a mapping of the IP addresses of all devices and their sysname, you could simply leverage the translate filter plugin which does exactly that, i.e. map the value of one field into another value stored in another field:

    translate {
    source => "[ip_field]"
    target => "[sysname_field]"
    override => true
    dictionary_path => "/path/to/ip/file/mapping.csv"
    fallback => "N/A"
}