Add human readable field with lookup

tonelk · February 8, 2023, 2:27pm

Hi,
I want to add the human readable description of error codes in my data. I've tried this

processors:
 - add_fields:
     when:
       equals:
         cisco_code: "106015"
     fields:
       cisco_description: 'Deny TCP (no connection) from A to B flags RST ACK on interface x'
 - add_fields:
     when:
       equals:
         cisco_code: "313005"
     fields:
       cisco_description: 'No matching connection for ICMP error message'

which works, but isn't very maintainable. I do have a csv with the info i'd like

106015;Deny TCP (no connection) from A to B flags RST ACK on interface x
313005;No matching connection for ICMP error message

Is there a way to make use of that csv file to do this?

Thnx
Ton

leandrojmp · February 8, 2023, 3:53pm

Are you using Logstash or sending direct from beats to elasticsearch?

If you are using logstash you may easily do it using the translate filter.

If you are sending it direct to Elasticsearch you may need to use the enrich processor, but you would need to create an index with the content of your csv and keep this updated.

system · March 8, 2023, 5:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to add field from ECS Logstash	2	288	June 19, 2022
Extract message to additional fields Beats filebeat	2	507	July 6, 2020
Parse error for cisco asa logs in filebeat module Beats filebeat	2	702	August 15, 2019
Cannot get all fields in Kibana Beats packetbeat	4	838	July 8, 2017
Failed to parse field [host] of type [text] .. can't get text on a START_OBJECT at 1:974 Logstash beats-module	3	12896	June 30, 2020

Add human readable field with lookup

Related topics