Elasticsearch Filter Syntax

filter { elasticsearch { hosts => ["https://10. 0.0.20:9200","https://10. 0.0.21:9200","https://10. 0.0.22:9200","https://10. 0.0.23:9200","https://10. 0.0.24:9200","https://10. 0.0.25:9200","https://10. 0.0.26:9200"] ca_file => '/etc/logstash/elasticsearch-ca-neu.pem' user => 'elastic' password => '<password>' index => 'custom-misp-iocs*' query => '(misp.event.ioc.value:"%{[hash.sha256]}")' fields => { "[misp][event][ioc][value]" => "misphash" } fields => { "%{[misp][event][ioc][value]}" => "misphash1" } fields => { "[misp.event.ioc.value]" => "misphash2" } fields => { "misp.event.ioc.value]" => "misphash3" } fields => { "%{[misp.event.ioc.value]}" => "misphash4" } fields => { "@timestamp" => "misphash5" } fields => { "%{[@timestamp}" => "misphash6" } result_size => 1 enable_sort => false } }

Which is the correct syntax? a misphash field is never created. if i execute query manually it works great.

Found it on my own:

query => 'misp.event.ioc.value:"%{[hash][sha256]}"' fields => { "[misp.event.id]" => "misp_event_id" }

But i dont really understand when if have to use [event][id] and when [event.id]

[event.id] is a field with a dot in its name.

{ "event.id": 1 }

[event][id] is an object called [event] that contains an [id] field

{ "event": { "id": 1 } }

logstash uses a different syntax to the rest of the Elastic stack.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.