mutate

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field}.

Example:

    filter {
      mutate {
        add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
      }
    }
[source,ruby]
    # You can also add multiple fields at once:
    filter {
      mutate {
        add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add field foo_hello if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      mutate {
        add_tag => [ "foo_%{somefield}" ]
      }
    }
[source,ruby]
    # You can also add multiple tags at once:
    filter {
      mutate {
        add_tag => [ "foo_%{somefield}", "taggedy_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add a tag foo_hello (and the second example would of course add a taggedy_tag tag).

Convert a field’s value to a different type, like turning a string to an integer. If the field value is an array, all members will be converted. If the field is a hash, no action will be taken.

If the conversion type is boolean, the acceptable values are:

If a value other than these is provided, it will pass straight through and log a warning message.

Valid conversion targets are: integer, float, string, and boolean.

Example:

    filter {
      mutate {
        convert => { "fieldname" => "integer" }
      }
    }

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

Convert a string field by applying a regular expression and a replacement. If the field is not a string, no action will be taken.

This configuration takes an array consisting of 3 elements per field/substitution.

Be aware of escaping any backslash in the config file.

Example:

    filter {
      mutate {
        gsub => [
          # replace all forward slashes with underscore
          "fieldname", "/", "_",
          # replace backslashes, question marks, hashes, and minuses
          # with a dot "."
          "fieldname2", "[\\?#-]", "."
        ]
      }
    }

Add a unique ID to the plugin instance, this ID is used for tracking information for a specific configuration of the plugin.

output {
 stdout {
   id => "ABC"
 }
}

If you don’t explicitely set this variable Logstash will generate a unique name.

Join an array with a separator character. Does nothing on non-array fields.

Example:

   filter {
     mutate {
       join => { "fieldname" => "," }
     }
   }

Convert a string to its lowercase equivalent.

Example:

    filter {
      mutate {
        lowercase => [ "fieldname" ]
      }
    }

Merge two fields of arrays or hashes. String fields will be automatically be converted into an array, so:

`array` + `string` will work
`string` + `string` will result in an 2 entry array in `dest_field`
`array` and `hash` will not work

Example:

    filter {
      mutate {
         merge => { "dest_field" => "added_field" }
      }
    }

Call the filter flush method at regular interval. Optional.

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:

    filter {
      mutate {
        remove_field => [ "foo_%{somefield}" ]
      }
    }
[source,ruby]
    # You can also remove multiple fields at once:
    filter {
      mutate {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the field with name foo_hello if it is present. The second example would remove an additional, non-dynamic field.

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      mutate {
        remove_tag => [ "foo_%{somefield}" ]
      }
    }
[source,ruby]
    # You can also remove multiple tags at once:
    filter {
      mutate {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the tag foo_hello if it is present. The second example would remove a sad, unwanted tag as well.

Rename one or more fields.

Example:

    filter {
      mutate {
        # Renames the 'HOSTORIP' field to 'client_ip'
        rename => { "HOSTORIP" => "client_ip" }
      }
    }

Replace a field with a new value. The new value can include %{foo} strings to help you build a new value from other parts of the event.

Example:

    filter {
      mutate {
        replace => { "message" => "%{source_host}: My new message" }
      }
    }

Split a field to an array using a separator character. Only works on string fields.

Example:

    filter {
      mutate {
         split => { "fieldname" => "," }
      }
    }

Strip whitespace from field. NOTE: this only works on leading and trailing whitespace.

Example:

    filter {
      mutate {
         strip => ["field1", "field2"]
      }
    }

Update an existing field with a new value. If the field does not exist, then no action will be taken.

Example:

    filter {
      mutate {
        update => { "sample" => "My new message" }
      }
    }

Convert a string to its uppercase equivalent.

Example:

    filter {
      mutate {
        uppercase => [ "fieldname" ]
      }
    }