Hello every body,
I have two question about the mutate filter:
The first one is about adding a0,a1 and a2 fiels that contain the process args to a same field [process][args] (process.args=a0,a1,a2) how i can do it ?
The second one is about renaming multiples field example (gid, sid, uid) with the same name [user][id].
THANKS in advance for the help
Best regard,
It is really not clear what you are asking. Can you show, using JSON, for example, the before and after of what you want in the two cases?
Hello Badger,
Thanks for you reply, I apologize because the question was not clear to you.
For the first question my goal was to have a field (process.args) that concatinate the value of a three fields a0, a2 and a3
The issue was resolved by adding the filter bellow
I puted:
filter {
mutate {
add_field => "{" [process] [args] "=>"% {a0}% {a1}% {a2} "}"
}
}
For the second one it was about having two fields sid, uid that i wanted to point to the same field user.id (> mutate{
copy => {"sid" => "[user][id]"}
copy => {"suid" => "[user][id]"}
})
The error was bypassed by converting the sid and suid field to the exported field of auditbeat [auditd][data][gid] and [auditd][data][suid] but i am not sure if those two field are conforms of the ECS
filer{
mutate {copy => {"sid" => "[auditd][data][gid]"}
copy => {"suid" => "[auditd][data][suid]"}
}
}
Best regards
The ECS fields for auditd are documented here. That document uses field.subfield notation, not logstash-style [field][subfield]
Thanks Badger that was helpful
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.