Add human readable field with lookup

tonelk · February 8, 2023, 2:27pm

Hi,
I want to add the human readable description of error codes in my data. I've tried this

processors:
 - add_fields:
     when:
       equals:
         cisco_code: "106015"
     fields:
       cisco_description: 'Deny TCP (no connection) from A to B flags RST ACK on interface x'
 - add_fields:
     when:
       equals:
         cisco_code: "313005"
     fields:
       cisco_description: 'No matching connection for ICMP error message'

which works, but isn't very maintainable. I do have a csv with the info i'd like

106015;Deny TCP (no connection) from A to B flags RST ACK on interface x
313005;No matching connection for ICMP error message

Is there a way to make use of that csv file to do this?

Thnx
Ton

leandrojmp · February 8, 2023, 3:53pm

Are you using Logstash or sending direct from beats to elasticsearch?

If you are using logstash you may easily do it using the translate filter.

If you are sending it direct to Elasticsearch you may need to use the enrich processor, but you would need to create an index with the content of your csv and keep this updated.

system · March 8, 2023, 5:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.