Drop part of a fieldname

olatunde.tokun · February 10, 2020, 7:11pm

Looking for a more efficient way to drop the top part of Windows fields (winlog) for 50+ fields.

The less efficient way would be to have unique mutate > rename entries for each field. Any ideas on achieving this would be appreciated.

mutate {
rename    => { "[winlog][event_data][CommandLine]"               => "[event_data][commandline]" }
rename    => { "[winlog][event_data][Company]"                   => "[event_data][company]" }
rename    => { "[winlog][event_data][CurrentDirectory]"          => "[event_data][current_directory]" }
rename    => { "[winlog][event_data][Description]"               => "[event_data][description]" }}

Badger · February 10, 2020, 7:12pm

You can rename [winlog][event_data] and that will take all the subfields with it.

olatunde.tokun · February 10, 2020, 7:43pm

Thanks, just tested this and it seems to solve it.

Cheers.

Topic		Replies	Views
Rename field Logstash	3	738	February 21, 2018
Remove part of field name in Logstash Logstash	4	1126	January 9, 2018
Move subarrays to document root Logstash	8	3804	September 10, 2018
Remove a specific field from the log and overwrite the message field Logstash	8	2297	April 2, 2020
Parsing winlogbeat message field Beats winlogbeat	3	2114	July 20, 2019

Drop part of a fieldname

Related topics