Filter KV

I'm using KV to filter the data from the raw data from a firewall.

I have a field that sometimes has two values, and I'd like to keep only the first one.

How could I do to filter only the first one. I attach my filter. I try to use allow_duplicate

kv {
# Note: values with spaces are lost (still getting there)
field_split => " "
trim_key => "<>\[\], "
trim_value => "<>\[\],"
# Only included the fields which are of interest (dont need everything)
allow_duplicate_values => false
include_keys => ["act","rt","spt","dpt","match_id","rule_action","ifname","dst","inzone","outzone","product","proto","service_id","src"]

And an example that has the problem (I'd like to remove the second value of match_id, 16777237 )

act=Accept app=HTTPS destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 rt=1569794516000 sourceTranslatedAddress=xx.xx.xx.xx sourceTranslatedPort=0 spt=57172 dpt=443 cs2Label=Rule Name layer_name=BZ_MAIN_CLUSTER_NO_QOS Security layer_name=BZ_MAIN_CLUSTER_NO_QOS Application layer_uuid=6407ecb5-7913-4682-99f4-9d269e2c7642 layer_uuid=90819300-115c-4ee7-be1f-a7b7554ed0d1 match_id=242 match_id=16777237 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=d8ff3fb8-40be-4872-a863-b40b7c003f22 rule_uid=34106d8f-1fff-40aa-91b9-0aa6e2917274 conn_direction=Outgoing contextnum=1 ifname=eth3 logid=0 loguid={0x5d9129d3,0x80011,0xf919c152,0xc0000000} origin=xx.xxx.xx.xxx originsicname=CN\=it-boz-phoenix-fw1,O\=xxxxxx sequencenum=2 version=5 context_num=1 dst=xxx.xx.xx.xx hll_key=15255036334554928934 inzone=Internal nat_addtnl_rulenum=1 nat_rulenum=35 needs_browse_time=1 outzone=External product=xxxx proto=6 service_id=xxxx sig_id=4 src=10.62.1.67

Thank you
Franco

if [match_id][0] { mutate { replace => { "match_id" => "%{[match_id][0]}" } } }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.