Drop part of a fieldname

olatunde.tokun · February 10, 2020, 7:11pm

Looking for a more efficient way to drop the top part of Windows fields (winlog) for 50+ fields.

The less efficient way would be to have unique mutate > rename entries for each field. Any ideas on achieving this would be appreciated.

mutate {
rename    => { "[winlog][event_data][CommandLine]"               => "[event_data][commandline]" }
rename    => { "[winlog][event_data][Company]"                   => "[event_data][company]" }
rename    => { "[winlog][event_data][CurrentDirectory]"          => "[event_data][current_directory]" }
rename    => { "[winlog][event_data][Description]"               => "[event_data][description]" }}

Badger · February 10, 2020, 7:12pm

You can rename [winlog][event_data] and that will take all the subfields with it.

olatunde.tokun · February 10, 2020, 7:43pm

Thanks, just tested this and it seems to solve it.

Cheers.

system · March 9, 2020, 7:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.