Add field depending of the dstip

donetz · November 5, 2019, 9:28am

Hi community!

I'm using logstash to process some data and I'm in trouble!! This is my situation:

I'm reading alerts witg Filebeat from a file that has been written by a SIEM.
I'm receiving these alerts with logstash and I want to check if "dstip" is a concrete one, and then add a field if matched.

Logstash conf:

Thanks in advance!!

Badger · November 5, 2019, 3:50pm

You are trying to add a field, but you have configured a remove_field option. Plus, that takes an array, not a hash, so it ends up as a no-op.

donetz · November 6, 2019, 9:20am

What do you mean when you say that it takes an array?
I don´t know how add fields to the alert when the dtsip IP is a specific one.
This is the message I'm receiving.

Badger · November 6, 2019, 2:42pm

remove_field needs a list of fields to remove. It does not matter what the values of the fields are, so all it needs is an array of field names.

add_field needs a list of fields to add and the values that should be added. So it expects a hash.

system · December 4, 2019, 2:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.