I'm trying to filter out netflow packets to have only documents indexed that are for the protocol types that I am interested in. There are multiple integers that I want to have those documents indexed in ElasticSearch, so it isn't that possible to chain together "or" statements.
Also, I have the valid protocol ID integers in a JSON file, so is it possible in logstash to build and array of valid integers from that JSON file (or any other format)?
Here is the basic document format, and I want to pass documents with valid integers for field "protocol".
"host": "172.19.0.1",
"@timestamp": "2018-11-10T13:44:44.000Z",
"netflow": {
"ipv4_dst_addr": "64.103.100.7",
"flow_seq_num": 188327583,
"flow_sampler_id": 0,
"last_switched": "2018-11-10T13:44:29.999Z",
"ipv4_src_addr": "144.254.75.180",
"l4_src_port": 9004,
"dst_mask": 23,
"version": 9,
"src_tos": 96,
"in_pkts": 4,
"in_bytes": 646,
"tcp_flags": 24,
"ipv4_next_hop": "64.103.99.189",
"first_switched": "2018-11-10T13:44:18.999Z",
"l4_dst_port": 38026,
"src_as": 0,
"flowset_id": 257,
"src_mask": 22,
"output_snmp": 7,
"dst_as": 0,
"protocol": 6,
"input_snmp": 8