Enrichment via Elasticsearch Lookup

shinobu · April 1, 2022, 9:08am

Hello,
I tried to enrich alerting information with data from a logindex.

In Logstash I configured the following as a filter:

  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "logfile"
    query => "Hostname:%{test_host} and ClientIP:172.18.0.0/14"    
    fields => { "Hostname" => "lookedupHostname" }
    result_size => 1
    enable_sort => false
  }

When I tried the Query in Kibana Discover I got the expected results, but the enrichment plugin fails to lookup information based on the query. It appears to struggle with the cidr notation for some reason.

When I remove the ClientIP part from the query it successfully resolves the lookup. The result here looks different than I would expect. The variable "test_host" and the value in the created lookup "lookedupHostname" would be the same, since I specified to store the lookedup field, but they are different.

Any ideas what the issues are and how to resolve them?
Thank you in advance.

shinobu · April 1, 2022, 10:37am

It appears that the query does not matter. No matter what parameter I use for the lookup, it always returns the same result.

system · April 29, 2022, 10:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Enriching elasticsearch inserts with elasticsearch lookups Logstash	3	305	June 27, 2018
Using multiple hosts in env var / Elasticsearch filter Logstash	2	498	October 22, 2021
Logstash-filter-elasticsearch query Logstash	1	959	September 15, 2017
Data enrichment using logstash with translate plugin Logstash	1	174	June 12, 2023
Data enrichment Logstash	0	108	May 2, 2024

Enrichment via Elasticsearch Lookup

Related Topics