Hi,
I'm using the DNS filter in my Logstash conf and I would like to store the IP address that the filter is resolving to a separate field. I tried using the add_field parameter but its not working. I end up storing the FQDN, IP in both the device and IP fields. Using action => "replace" has same effect.
dns {
resolve => [ "device" ]
add_field => { "ip" => "%{device}"}
}
The dns filter unconditionally modifies the source field by either replacing it (action => replace) or converting it to an array and appending to it (action => append).
If you want the result in a separate field then you can do it using
add_field => { "ip" => "%{[device][1]}" }
then a separate mutate to remove the second entry from the array
mutate { replace => { "device" => "%{[device][0]}" } }This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.