Hey guys, trying to aggregate audit events from a linux with
logstash-8.8.1-1.x86_64
and got the error:
Badly formatted index, after interpolation still contains placeholder: [%{[@metadat a][target_index]}]
The stdout { codec => rubydebug } event output:
{
"@timestamp" => 2023-07-20T18:27:01.000Z,
"@version" => "1",
"tags" => [
[0] "aggregated"
],
"process.title" => "tr -dc [:digit:]",
"host.name" => "host09",
"[@metadata][target_index]" => "p-os-linux-sh",
}
The code:
aggregate {
task_id => "%{audit.event.id}"
code => "
curr_index = 'empty'
map['tags'] || map['tags'] = event.get('tags')
map['process.title'] || map['process.title'] = event.get('process.title')
map['host.name'] || map['host.name'] = event.get('host.name')
map['@timestamp'] || map['@timestamp'] = event.get('@timestamp')
map['[@metadata][target_index]'] || map['[@metadata][target_index]'] = event.get('[@metadata][target_index]')
curr_index = event.get('[@metadata][target_index]')
if ! map['[@metadata][target_index]'].match(/3y$/)
if curr_index.match(/3y$/)
map['[@metadata][target_index]'] = curr_index
elsif curr_index.match(/1y$/) and not map['[@metadata][target_index]'].match(/1y$/)
map['[@metadata][target_index]'] = curr_index
end
end
"
push_map_as_event_on_timeout => true
timeout => 10
inactivity_timeout => 5
timeout_code => '
event.tag("aggregated")
'
}
The root of the problem is the different [@metadata][target_index] values in events. The most priority index ends with 3y and so on.
If i set [@metadata][target_index]'] in "timeout_code" block by "string" value it works.
But don't know how to set it from a variable
event.set( '[@metadata][target_index]', map[ '[@metadata][target_index]' ] )
is not working.
I know it looks like invention of the wheel while auditbeat exists.
But the auditbeat consumes too many CPU for usage in a high load prod.
Replacing the map['[@metadata][target_index]'] by map['@metadata.target_index'] does not help