Add Sub fields

hi,

how to add sub fields on logstash ex: server, time, message

i'm add sub field modsec.server modsec.time modsec.message ?

any ide ?

This link explains the Logstash field syntax: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references

mutate {
  add_field => { "[modsec][server]" => "something" } 
} 

whether to do it one by one fields ?
what if i want all fields to add sub fields ?

I think I don't understand the question? Do you want to move every single field of your event from the root to modsec? If you have a few fields that already exist and that should be moved, you would use the rename option of the mutate filter. If there is a dynamic number of fields in your event that should all be moved, you could use Ruby to iterate over them.

oke thanks i will move all field to root modsec, and i configure mutate one by one field.

thank you for the advice

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.