Hi all,
I have a bunch of if + mutate that check dst-port field and then update the protocol field to a correct protocol name ( for custom destination port that cannot be recognized by nProbe)
filter {
if [dst-port] == 5601 {
mutate {
update => { "protocol" => "Kibana" }
}
}
if [dst-port] == 9200 {
mutate {
update => { "protocol" => "Elasticsearch" }
}
}
}
Problem is that with about 10 if blocks, Logstash throughput significantly drops. Because netflow uses indexing time as the timestamp, throughput drop is not acceptable. I've looked at the mutate filter itself, but is there any better way to accomplish such check and rename operation?
Thanks