option to replace field or tag OR change order of command processing

[lagbc]

It would be beneficial to have option to replace_field and replace_tag, because currently it is only possible to add tags or remove field all together, but not replace all contents of certain field or tags.

Potentially it could also be achieved by having order in what commands are processed i.e. remove_field first and add_field second, it seems that currently it's other way around and even if I have this configuration:

filter {
cidr {
remove_field => [ "[fields][env]" ]
add_field => { "[fields][env]" => "env01" }
address => [ "%{[@metadata][ip_address]}" ]
network => [ "10.0.23.0/24"]
}
}

End result will be that fields.env doesn't exist as remove_field seems to be processed last.

Thank you!

[yaauie]

This plugin works by conditionally sending filter_matched iff the event matches the rule, which in turn causes the "common" directives of the filter to run (and these directives are run in a specific order that is independent of the order in which they are specified in the pipeline configuration).

The best workaround I can think of is to use the CIDR filter to store a value in @metadata, then conditionally use that @metadata field in separate mutate filters:

filter {
  cidr {
    address => [ "%{[@metadata][ip_address]}" ]
    network => [ "10.0.23.0/24" ]
    add_field => { "[@metadata][detected-env]" => "env01" }
  }
  if [@metadata][detected-env] {
    mutate { remove_field => "[fields][env]" }
    mutate { add_field => { "[fields][env]" => "%{[@metadata][detected-env]}" }
  }
}