Convert fieldtype from neflow protocol .uint8

pereyrdi · December 2, 2016, 3:25pm

Hi all !
Im creating new fields from netflow information, for example get the ipaddres and resolve the hostname into another field.

      mutate {     
		add_field => { "IPAddress" => "%{host}" } 
		add_field => { "Hostname"  => "%{host}" } 
	  }              	  
	  dns {
	    nameserver => ["8.8.8.8"]
		reverse => ["Hostname"]
		action => replace
	  }

But when I do an "add_field => { "protocol_name" => "%{protocol}" }" from the protocol field, dont work, it print

"protocol_name" => "%{protocol}" and not the original value.
should be "protocol_name" => "1"

(in the netflow.yml loof like this
4:

:uint8
:protocol

and the output
{
"netflow" => {
"protocol" => 1,

Any idea why I cannot get the value from protocol field ?
Thanks
Diego

pereyrdi · December 2, 2016, 3:59pm

Done, The correct way is this.

 add_field =>  {"protocol_name" => "%{[netflow][protocol]}"}

=)

Diego.

system · December 30, 2016, 3:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash ip protocol enriching Logstash	3	537	September 13, 2021
Help with filter/mutate, replace netflow snmp field Logstash	1	501	April 24, 2019
Logstash Netflow translate and convert a field Logstash	5	872	July 19, 2017
Logstash Conditional format? Logstash	3	980	July 6, 2017
Troubling with add_field in filter. Please advice Logstash	2	959	July 6, 2017

Convert fieldtype from neflow protocol .uint8

Related topics