Add_tag failing

Elastic Stack Logstash
#1

i have the following in my config file, where i'm using the GeoIPASNum database to add the AS of an IP to its own field (asn_id.orig_h.number)

if [id.orig_h] {
geoip {
database => "/opt/logstash/vendor/geoip/GeoIPASNum.dat"
source => "id.orig_h"
target => "asn_id.orig_h"
}
mutate {
add_tag => [ "%{asn_id.orig_h.number}" ]
}

the lookup is successful because I can see the fields in kibana/es, however its not adding the AS (eg: AS12345) and instead its adding %{asn_id.orig_h.number} as a string. i've also tried moving the mutate to a new section with something like:

if [asn_id.orig_h.number] {
mutate {
add_tag => [ "%{asn_id.orig_h.number}" ]
}

but that also fails. any ideas on how I can get this working?

#2

Then does asn_id.orig_h.number exist in the document?

If it did/does, then this should also work and is cleaner;

geoip {
database => "/opt/logstash/vendor/geoip/GeoIPASNum.dat"
source => "id.orig_h"
target => "asn_id.orig_h"
add_tag => [ "%{asn_id.orig_h.number}" ]
}
#3

if i don't have the add_tag statement, asn_id.orig_h.number exists as I would expect:

  "asn_id.resp_h": {
     "asn": "VeriSign Global Registry Services",
     "number": "AS26415"
  },

using your config, I end up with:

  "asn_id.resp_h": {
     "asn": "VeriSign Global Registry Services",
     "number": "AS26415"
  },
  "tags": [
     "%{asn_id.resp_h.number}"
  ],
#4

You may need to use %[asn_id.orig_h][number] as it's a nested field.

#5

same thing, using;

add_tag => [ "%[asn_id.orig_h][number]" ]

just displays %[asn_id.resp_h][number] as the tag

#6

a-ha. looks like;

add_tag => [ "%{[asn_id.resp_h][number]}" ]

was the answer

1 Like
#7

Ohh, so close :wink:

#8