Hello i'm trying to get hostname from the netflow i'm working on. From now on i have this code
filter { # Don't save what concern the host #if "*.*.*.*" in ["%{[source][ip]}", "%{[dest][ip]}"] { # drop {} #} cidr { add_field => ["direction", "incoming"] address => ["%{[dest][ip]}"] network => ["*.*.*.*/*", "*.*.*.*/*", "*.*.*.*/*", "*.*.*.*/*"] } cidr { add_field => ["direction", "outgoing"] address => ["%{[source][ip]}"] network => ["*.*.*.*/*", "*.*.*.*/*", "*.*.*.*/*", "*.*.*.*/*"] } cidr { add_field => ["network", "*.*.*.*/*"] address => ["%{[source][ip]}", "%{[dest][ip]}"] network => ["*.*.*.*/*"] } cidr { add_field => ["network", "*.*.*.*/*"] address => ["%{[source][ip]}", "%{[dest][ip]}"] network => ["*.*.*.*/*"] } cidr { add_field => ["network", "*.*.*.*/*"] address => ["%{[source][ip]}", "%{[dest][ip]}"] network => ["*.*.*.*/*"] } cidr { add_field => ["network", "*.*.*.*/*"] address => ["%{[source][ip]}", "%{[dest][ip]}"] network => ["*.*.*.*/*"] } if [direction] == "incoming" { mutate { add_field => { "hostname" => "%{[source][ip]}"} } dns { reverse => ["hostname"] action => "replace" nameserver => ["*.*.*.*"] } # Supprimer le field si pas de résolution dns pertinente if [hostname] == "%{[source][ip]}" { mutate { remove_field => ["hostname"] add_tag => ["deletedDns"] } } } else if [direction] == "outgoing" { mutate { add_field => { "hostname" => "%{[dest][ip]}"} } dns { reverse => ["hostname"] action => "replace" nameserver => ["*.*.*.*"] } # Supprimer le field si pas de résolution dns pertinente if [hostname] == "%{[source][ip]}" { mutate { remove_field => ["hostname"] add_tag => ["deletedDns"] } } }}
So the problem is that when the 'hostname' field has acutally not changed it is not erased from the data.
I added a tag to see if the problem was from the condition or the 'remove_field' function but none of them are executed so i supposed the condition is the problem.
Thanks in advance for your help.