Hi Team,
In logstash the filters are not working. The data is coming from azure blob storage.
filter {
split {
field => "[records]"
}
split {
field => "[records][properties][flows]"
}
split {
field => "[records][properties][flows][flows]"
}
split {
field => "[records][properties][flows][flows][flowTuples]"
}
mutate {
split => {
"[records][resourceId]" => "/"
}
add_field => {
"Subscription" => "%{[records][resourceId][2]}"
"ResourceGroup" => "%{[records][resourceId][4]}"
"NetworkSecurityGroup" => "%{[records][resourceId][8]}"
}
convert => {
"Subscription" => "string"
}
convert => {
"ResourceGroup" => "string"
}
convert => {
"NetworkSecurityGroup" => "string"
}
split => {
"[records][properties][flows][flows][flowTuples]" => ","
}
add_field => {
"unixtimestamp" => "%{[records][properties][flows][flows][flowTuples][0]}"
"srcIp" => "%{[records][properties][flows][flows][flowTuples][1]}"
"destIp" => "%{[records][properties][flows][flows][flowTuples][2]}"
"srcPort" => "%{[records][properties][flows][flows][flowTuples][3]}"
"destPort" => "%{[records][properties][flows][flows][flowTuples][4]}"
"protocol" => "%{[records][properties][flows][flows][flowTuples][5]}"
"trafficflow" => "%{[records][properties][flows][flows][flowTuples][6]}"
"traffic" => "%{[records][properties][flows][flows][flowTuples][7]}"
}
convert => {
"unixtimestamp" => "integer"
}
convert => {
"srcPort" => "integer"
}
convert => {
"destPort" => "integer"
}
}
date {
match => ["unixtimestamp", "UNIX"]
}
}
What should I change to make sure that the data will be filtered properly?