Doubts about extract field

Hello People ,

I have this code

´ ´ ´
input {
stdin { }
}

output { stdout { codec => rubydebug } }

filter {
json {
source => "message"
}

mutate {

gsub => [ "message" , "\n", "," ] }

mutate {
gsub => [ "message" , "[\]", "" ]
gsub => [ "other_logs" , "[\\n]", "," ]
split => ["other_logs" , ","]
add_field => { "Client SSH" => "%{[other_logs][2]}" }
add_field => { "User" => "%{[other_logs][3]}" }
add_field => { "Password" => "%{[other_logs][4]}" }
}
}

´ ´ ´
My output is something like that

´ ´ ´
"aka_vulnerability" => false,
"Password" => "Password:packet",
"Client SSH" => "Client SSH:SSH-2.0-libssh-0.6.3",
"service" => "ssh",
"timestamp" => "2020-07-02 08:00:10",
"host" => "xyz",
"@version" => "1",
"target_ips" => {
"1.1.1.1" => {
"port" => "22"
}
},
"message" => "{"aka_vulnerability": false, "service": "ssh", "timestamp": "2020-07-02 08:00:10", "target_ips": {"1.1.1.1": {"port": "22"}}, "source_ip": "2.2.2.2", "other_logs": "Start Attack:"2020-07-02 08:00:10"nEnd Attack:"2020-07-02 08:00:10"nClient SSH:SSH-2.0-libssh-0.6.3nUser:packetnPassword:packet", "source_hostname": "-", "source_port": "11818", "subject": "Brute Force"}",
"subject" => "Brute Force",
"User" => "User:packet",
"source_hostname" => "-",
"other_logs" => [
[0] "Start Attack:"2020-07-02 08:00:10"",
[1] "End Attack:"2020-07-02 08:00:10"",
[2] "Client SSH:SSH-2.0-libssh-0.6.3",
[3] "User:packet",
[4] "Password:packet"
],

´ ´ ´
I would like that my fields "User" and "Password" were printed as follows

"User" => "packet"
"Password" => "packet"

It is, without the name of field as below

In a separate gsub, after the gsub that adds the fields, remove the prefix.

mutate { gsub => [ "User", "User:", "", "Password", "Password:", "" ] }

Thank you Badger for your answer

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.