Below is the sample log which I get as an output:
{
"field1": {
--content--
{},
,
}
"field2": {
--content--
{},
,
}
"field3": {
--content--
{},
,
}
}
I want to combine all the fields so that I see output in one single field, like below -
{
"OneField":
{
--content of field1 + field2 + field3--
{},
,
}
}
Please help out with an example. Would be great.
Can you provide examples that are valid JSON for both the input and result? It's really unclear what you want.
Hi Badger - Below I have pasted one log. Please see:
{
"winlog": {
"opcode": "Info",
"keywords": [
"Audit Success"
],
"api": "wineventlog",
"record_id": 8217123,
"event_data": {
"TargetDomainName": "Domain",
"TargetUserName": "Patrik",
"TargetUserSid": "S-1-5-21-2706447373-3929271640-2302363577-347960",
"TargetLogonId": "0xc624c9e",
"LogonType": "3"
},
"process": {
"thread": {
"id": 80452
},
"pid": 1408
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "Logoff",
"computer_name": "hostname",
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"channel": "Security",
"event_id": 4634
},
"@timestamp": "2019-07-03T14:46:57.188Z",
"ecs": {
"version": "1.0.0"
},
"log": {
"level": "information"
},
"event": {
"kind": "event",
"code": 4634,
"action": "Logoff",
"created": "2019-07-03T14:47:07.060Z"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2706447373-3929271640-2302363577-347960\n\tAccount Name:\t\tpatrik\n\tAccount Domain:\t\t\n\tLogon ID:\t\t0xC624C9E\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"@version": "1",
"agent": {
"version": "7.1.1",
"ephemeral_id": "679c7668-8bec-4026-9e94-87a9fbbe945f",
"type": "winlogbeat",
"id": "d7176a05-dd6b-41a7-80a2-0cf04fb9fd79",
"hostname": "hostname"
}
}
Here we have got several fields:
I want to combine all these fields and make it as one field. Can you please help me with this requirement?
What do you mean by "make it one field"? Do you want to concatentate the strings? Concatentate with a separator? Make them an array? Insert them into a hash?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.