filter { elasticsearch { hosts => ["https://10. 0.0.20:9200","https://10. 0.0.21:9200","https://10. 0.0.22:9200","https://10. 0.0.23:9200","https://10. 0.0.24:9200","https://10. 0.0.25:9200","https://10. 0.0.26:9200"] ca_file => '/etc/logstash/elasticsearch-ca-neu.pem' user => 'elastic' password => '<password>' index => 'custom-misp-iocs*' query => '(misp.event.ioc.value:"%{[hash.sha256]}")' fields => { "[misp][event][ioc][value]" => "misphash" } fields => { "%{[misp][event][ioc][value]}" => "misphash1" } fields => { "[misp.event.ioc.value]" => "misphash2" } fields => { "misp.event.ioc.value]" => "misphash3" } fields => { "%{[misp.event.ioc.value]}" => "misphash4" } fields => { "@timestamp" => "misphash5" } fields => { "%{[@timestamp}" => "misphash6" } result_size => 1 enable_sort => false } }
Which is the correct syntax? a misphash field is never created. if i execute query manually it works great.