brain
April 3, 2016, 5:54am
1
i have the following in my config file, where i'm using the GeoIPASNum database to add the AS of an IP to its own field (asn_id.orig_h.number)
if [id.orig_h] {
the lookup is successful because I can see the fields in kibana/es, however its not adding the AS (eg: AS12345) and instead its adding %{asn_id.orig_h.number} as a string. i've also tried moving the mutate to a new section with something like:
if [asn_id.orig_h.number] {
but that also fails. any ideas on how I can get this working?
warkolm
April 3, 2016, 6:04am
2
Then does asn_id.orig_h.number exist in the document?
If it did/does, then this should also work and is cleaner;
geoip {
database => "/opt/logstash/vendor/geoip/GeoIPASNum.dat"
source => "id.orig_h"
target => "asn_id.orig_h"
add_tag => [ "%{asn_id.orig_h.number}" ]
}
brain
April 3, 2016, 6:51am
3
if i don't have the add_tag statement, asn_id.orig_h.number exists as I would expect:
"asn_id.resp_h": {
"asn": "VeriSign Global Registry Services",
"number": "AS26415"
},
using your config, I end up with:
"asn_id.resp_h": {
"asn": "VeriSign Global Registry Services",
"number": "AS26415"
},
"tags": [
"%{asn_id.resp_h.number}"
],
warkolm
April 3, 2016, 7:05am
4
You may need to use %[asn_id.orig_h][number] as it's a nested field.
brain
April 3, 2016, 7:19am
5
same thing, using;
add_tag => [ "%[asn_id.orig_h][number]" ]
just displays %[asn_id.resp_h][number] as the tag
brain
April 3, 2016, 7:26am
6
a-ha. looks like;
add_tag => [ "%{[asn_id.resp_h][number]}" ]
was the answer
1 Like
