Add_fields processor not working

ajhstn · August 10, 2019, 3:58am

Hello - can you spot any problem with this processor. when i .\winlogbeat.exe test config i get a good Config OK as expected, however when events that i feel should match the processor occur, the field is not being added.

Please note NONE of these 4 add fields seem to work. I have other processors above and beneath this code that works fine..

    - add_fields:
        when.equals.winlog.event_id: "6005"
        fields:
          winlog.event_data.Info: "Machine starting"
        target: ""
    - add_fields:
        when.equals.winlog.event_id: "6006"
        fields:
          winlog.event_data.Info: "Machine stopping"
        target: ""
    - add_fields:
        when:
          and:
            - equals.winlog.event_id: "1074"
            - equals.winlog.event_data.param5: "restart"
        fields:
          winlog.event_data.Info: "Machine will restart"
        target: ""
    - add_fields:
        when:
          and:
            - equals.winlog.event_id: "1074"
            - equals.winlog.event_data.param5: "power off"
        fields:
          winlog.event_data.Info: "Machine will shutdown"
        target: ""

ajhstn · August 10, 2019, 4:33am

Fixed, i changed strings to the correct data type and it worked, eg "6005" should be 6005, namely a number not a string.

system · September 7, 2019, 6:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.