Solved: Re: mutate filter - copy function

mountaincode2 · 01-29-2024 06:05 AM

The copy configuration option of a mutate filter in Logstash

https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-...

is as follows:

  filter {
    mutate {
     copy => { "source_field" => "dest_field" }
    }
}

Whereas the copy function of the mutate filter in the Chronicle documentation

https://cloud.google.com/chronicle/docs/reference/parser-syntax#copy_function

is as follows:

mutate {
  copy => {
    "destinationToken" => "sourceToken"
  }
}

They seem to be differing in their logic. The destination field is on the left in Chronicle and on the right in Logstash. Which one is correct?

ion_

You're probably better off going with the chronicle documentation where possible. I'm not sure if the differences between logstash and chronicle parser syntax are comprehensively documented somewhere, but there seem to have been significant changes made.

I quickly tested this by adding the following into a parser I had open and running a log through it:
# This goes in the top bit where vars are defined

"zzleft" => "left"

"zzright" => "right"
#This goes wherever you want, i've placed it at the bottom

mutate {

copy => { "zzleft" => "zzright" }

}

statedump {"label" =>"123"}

You can then look at the statedump and see that both vars now contain "right": Screenshot 2024-01-30 at 11.39.31.png

This indicates to me that the argument on the right was used as the source and written over the destination on the left. This is consistent with the Chronicle documentation.

View solution in original post

ion_

You're probably better off going with the chronicle documentation where possible. I'm not sure if the differences between logstash and chronicle parser syntax are comprehensively documented somewhere, but there seem to have been significant changes made.

I quickly tested this by adding the following into a parser I had open and running a log through it:
# This goes in the top bit where vars are defined

"zzleft" => "left"

"zzright" => "right"
#This goes wherever you want, i've placed it at the bottom

mutate {

copy => { "zzleft" => "zzright" }

}

statedump {"label" =>"123"}

You can then look at the statedump and see that both vars now contain "right": Screenshot 2024-01-30 at 11.39.31.png

This indicates to me that the argument on the right was used as the source and written over the destination on the left. This is consistent with the Chronicle documentation.

mountaincode2

How can i test this in the UI as well please.

rfhart

hi @mountaincode2

Technically both code blocks you have pasted are the same. However, the the copy command in the first block is not expanded like it is in the second block. And the second block simply lacks the filter block, but it's understood that the mutate command would be included within the filter block which is why it's not depicted like that in Chronicle documentation. That's because when you create a new parser or a new parser extension, Chronicle prints the filter block for you, whereas logstash does not. The biggest differences between the 2 blocks are the fields being copied and the fields being copied to (if that makes sense?).

If you remove filter, from the first code block and put the source and destination fields on a line of their own; it would look very much the same as the second code block. See below:

mutate {
   copy => { 
      "source_field" => "dest_field"
   }
}

Or we can do the opposite and make the second block look like the first by adding the filter block and putting the source and destination fields on the same line as the copy command. If we do so, it would like this:

filter {
   mutate {
     copy => { "destinationToken" => "sourceToken" }
   }
}

Do you see the similarities? Does this make sense?