Logstash mutate Filter Plugin

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Use Case and Usage Common Issues and Best Practices Frequently Asked Questions

The mutate filter plugin is one of the most versatile and commonly used filters in Logstash. It allows you to perform general mutations on fields, including renaming, removing, replacing, and modifying fields in your events. This plugin is essential for data cleansing, normalization, and transformation tasks within your Logstash pipeline.

Syntax

The basic syntax for the mutate filter is:

filter {
  mutate {
    # mutation operations
  }
}

For detailed information on all available options, refer to the official Logstash mutate filter documentation.

Example Use Case and Usage

Let's consider a scenario where you need to process log data and standardize field names, convert data types, and remove unnecessary fields:

filter {
  mutate {
    rename => { "host" => "hostname" }
    convert => { "response_time" => "float" }
    remove_field => ["unnecessary_field"]
    gsub => [
      "user_agent", "Mozilla\/[0-9.]+", "mozilla"
    ]
    uppercase => [ "status" ]
  }
}

In this example, we:

  1. Rename the "host" field to "hostname"
  2. Convert the "response_time" field to a float
  3. Remove the "unnecessary_field"
  4. Use gsub to replace the Mozilla version in the user_agent field
  5. Convert the "status" field to uppercase

Common Issues and Best Practices

  1. Order of operations: The order of mutations within the mutate filter matters. Operations are executed in the order they appear.

  2. Field existence: Be cautious when operating on fields that may not exist in all events. Use conditional logic or the coerce option when appropriate.

  3. Performance: While mutate is efficient, excessive use can impact performance. Combine multiple mutate operations into a single filter when possible.

  4. Data types: When using convert, ensure the data can be correctly parsed into the desired type to avoid conversion errors.

  5. Backup fields: Before making destructive changes, consider copying important fields to backup versions.

Frequently Asked Questions

Q: Can I use mutate to create new fields?
A: Yes, you can use the add_field option within mutate to create new fields based on static values or dynamic content from other fields.

Q: How can I conditionally apply mutate operations?
A: You can wrap the mutate filter in a conditional block using Logstash's if statement to apply mutations only when certain conditions are met.

Q: Is it possible to perform mathematical operations with mutate?
A: While mutate itself doesn't perform complex math, you can use the ruby filter in conjunction with mutate to perform calculations and then store the results.

Q: Can mutate handle array operations?
A: Yes, mutate can work with arrays. You can use operations like split, join, and merge to manipulate array fields.

Q: How do I troubleshoot if my mutate filter isn't working as expected?
A: Use Logstash's debug logging or the stdout output plugin to inspect your events before and after the mutate filter. This will help you understand how the filter is affecting your data.

Pulse - Elasticsearch Operations Done Right

Pulse can solve your Elasticsearch issues

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.