Drop part of a fieldname

olatunde.tokun · February 10, 2020, 7:11pm

Looking for a more efficient way to drop the top part of Windows fields (winlog) for 50+ fields.

The less efficient way would be to have unique mutate > rename entries for each field. Any ideas on achieving this would be appreciated.

mutate {
rename    => { "[winlog][event_data][CommandLine]"               => "[event_data][commandline]" }
rename    => { "[winlog][event_data][Company]"                   => "[event_data][company]" }
rename    => { "[winlog][event_data][CurrentDirectory]"          => "[event_data][current_directory]" }
rename    => { "[winlog][event_data][Description]"               => "[event_data][description]" }}

Badger · February 10, 2020, 7:12pm

You can rename [winlog][event_data] and that will take all the subfields with it.

olatunde.tokun · February 10, 2020, 7:43pm

Thanks, just tested this and it seems to solve it.

Cheers.

system · March 9, 2020, 7:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rename field Logstash	3	703	February 21, 2018
Rename field winlog.event_data.TargetUserName Logstash	2	869	March 6, 2020
Drop "event_data." from data field Beats winlogbeat	7	2637	April 17, 2017
How to rename the field “event_data.TargetUserName” Logstash	1	534	February 15, 2018
Renaming fields wild card logstash Logstash	3	2215	August 6, 2019

Drop part of a fieldname

Related topics