Add_fields processor not working

ajhstn · August 10, 2019, 3:58am

Hello - can you spot any problem with this processor. when i .\winlogbeat.exe test config i get a good Config OK as expected, however when events that i feel should match the processor occur, the field is not being added.

Please note NONE of these 4 add fields seem to work. I have other processors above and beneath this code that works fine..

    - add_fields:
        when.equals.winlog.event_id: "6005"
        fields:
          winlog.event_data.Info: "Machine starting"
        target: ""
    - add_fields:
        when.equals.winlog.event_id: "6006"
        fields:
          winlog.event_data.Info: "Machine stopping"
        target: ""
    - add_fields:
        when:
          and:
            - equals.winlog.event_id: "1074"
            - equals.winlog.event_data.param5: "restart"
        fields:
          winlog.event_data.Info: "Machine will restart"
        target: ""
    - add_fields:
        when:
          and:
            - equals.winlog.event_id: "1074"
            - equals.winlog.event_data.param5: "power off"
        fields:
          winlog.event_data.Info: "Machine will shutdown"
        target: ""

ajhstn · August 10, 2019, 4:33am

Fixed, i changed strings to the correct data type and it worked, eg "6005" should be 6005, namely a number not a string.

system · September 7, 2019, 6:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add fields to winlogbeat events Beats winlogbeat	8	985	June 24, 2019
How to add a field with description for a specific Windows Event ID? Beats winlogbeat	6	555	April 28, 2021
Winlogbeat multiple add_fields processors throws an error Beats winlogbeat	2	627	May 26, 2020
Adding custom fields doesn't work in Winlogbeat Beats winlogbeat	3	912	August 20, 2018
Winlogbeat drop_fields not working Beats winlogbeat	6	1813	July 5, 2021

Add_fields processor not working

Related topics