Filebeat Processors - Can i condition between two vars?

Elastic Stack Beats
1

Hello,

Is it possible to compare between 2 vars in input data?

For example:

processors:
  - add_host_metadata:
      netinfo.enabled: true

  - if:
      contains:
        host.ip: $source.ip
    then:
      - add_fields:
          target: communication
          fields:
            type: internal

source.ip is a field on input data.
host.ip created in add_host_metadata.

In this example, I got from the input event the source IP and I will happy to check if the IP address exists in host.ip (add_host_metadata) to determine if the IP address is internal address.

Thanks :slight_smile:

2

U could try {{source.ip}}. That's how u reference a field value in the ingest processors but idk if it will work in the beats processors. I tried looking in GitHub for an example but wasn't able to find one.

3

Thank you for your answer.
Unfortunately, It doesn't work. :frowning:

4

Based on another forum post, I'd say your best bet to do this is using logstash or an ingest pipeline.

6

Thanks :slight_smile:

Can I use javascript processors script?
I tried to write a function to find a solution:

processors:
  - add_host_metadata:
      netinfo.enabled: true

  - script:
      lang: javascript
      id: my_filter

      source: >
        function process(event) {
            var ips = event.Get("host.ip");
            var src_ip = event.Get('source.ip');
            if (ips.includes(src_ip)) {
                event.Tag("internal");
            }
            return event;
        }

But I got the exception when I try to check if source IP exists in ips array (host.ip --> host metadata)

"message": "TypeError: Object has no member 'includes' at process (inline.js:4:21(19))"

Did anyone get this javescript exception?

7

Hmm, take a look at the other JS scripts. Try ips.indexOf(xxx) !== -1

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.