Filebeat Processors - Can i condition between two vars?

Hello,

Is it possible to compare between 2 vars in input data?

For example:

processors:
  - add_host_metadata:
      netinfo.enabled: true

  - if:
      contains:
        host.ip: $source.ip
    then:
      - add_fields:
          target: communication
          fields:
            type: internal

source.ip is a field on input data.
host.ip created in add_host_metadata.

In this example, I got from the input event the source IP and I will happy to check if the IP address exists in host.ip (add_host_metadata) to determine if the IP address is internal address.

Thanks

U could try {{source.ip}}. That's how u reference a field value in the ingest processors but idk if it will work in the beats processors. I tried looking in GitHub for an example but wasn't able to find one.

Thank you for your answer.
Unfortunately, It doesn't work.

Based on another forum post, I'd say your best bet to do this is using logstash or an ingest pipeline.

Thanks

Can I use javascript processors script?
I tried to write a function to find a solution:

processors:
  - add_host_metadata:
      netinfo.enabled: true

  - script:
      lang: javascript
      id: my_filter

      source: >
        function process(event) {
            var ips = event.Get("host.ip");
            var src_ip = event.Get('source.ip');
            if (ips.includes(src_ip)) {
                event.Tag("internal");
            }
            return event;
        }

But I got the exception when I try to check if source IP exists in ips array (host.ip --> host metadata)

"message": "TypeError: Object has no member 'includes' at process (inline.js:4:21(19))"

Did anyone get this javescript exception?

Hmm, take a look at the other JS scripts. Try ips.indexOf(xxx) !== -1

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.