Add field from ECS field (winlogbeats)

Camilo_Diaz · October 28, 2020, 1:17am

I am trying to add some fields to the logs coming from wingbeat 7.9 to Logstash.

I need to extract the value from either user.name or related.user and add a new 'username' field.

I was doing something like this but this just adds the text '%related.user' to the logs. Is this possible at all?

      if [type] == "winlogbeat" and [user][name]  {
          mutate {
                    add_field  => [ "username", "%[user][name]" ]
                 }
       }

Thanks,
Camilo

Badger · October 28, 2020, 3:46pm

A sprintf reference should look like

"%{[user][name]}"

Camilo_Diaz · October 28, 2020, 8:25pm

Thanks @Badger. Dunno how I missed that

Working as expected now.

system · November 25, 2020, 8:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create Field Winlogbeat Beats winlogbeat	5	445	June 25, 2020
Add field in logstash of Winlogbeats input Logstash	5	657	May 4, 2020
Failed to add field from ECS Logstash	2	287	June 19, 2022
Can not add a new field using if filter and add_field Logstash	6	454	July 27, 2020
How catch "user.name" parameter from winlog with logstash Logstash	6	202	October 26, 2023

Add field from ECS field (winlogbeats)

Related Topics