Help with filter/mutate, replace netflow snmp field

Elastic Stack Logstash
1

Hi,

i'm doing something wrong so please help. Input from 2 sources:

`input {
snmp    {
    walk => ["1.3.6.1.2.1.2.2.1.2"]
    hosts => [{host => "udp:xxx" community => "public" version => "3"  retries => 5  timeout => 1000 }]
    security_name => "xxx"
    auth_pass => "xxx"
    auth_protocol => "sha"
    interval =>300
    oid_root_skip => 9
    add_field => {hostname => "%{[@metadata][host_protocol]}:%{[@metadata][host_address]}/%{[@metadata][host_port]},%{[@metadata][host_community]}"}}
udp {
host => "0.0.0.0"
port => 2050
codec => netflow  {
#netflow_definitions => "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-codec-netflow-3.14.1/lib/logstash/codecs/netflow/netflow.yaml"}}``

i want to replace value in netflow field [netflow][input_snmp] with value in snmp field if there is matching. I can't even replace with static value "vodenica".

snmp:

"_source": {
"ifDescr.30": "Vlan1",

and

[netflow][input_snmp]" == 30

then put Vlan1 in field [netflow][input_snmp]

filter {

if "[netflow][input_snmp]" == 30 {
mutate {
#replace => [ "[netflow][input_snmp]" , "%{[ifDescr.30]}"  ]
replace => [ "[netflow][input_snmp]" , "vodenica"  ]
#update  => ["[netflow][input_snmp]","vodenica"]
#update  => ["[netflow][output_snmp]","%{[ifDescr.30]}"] }}

mutate {
replace => [ "[netflow][output_snmp]" , "vodenicaaaaaaaaaaaaaaa" ]
add_field => [ "[netflow][output_snmptest]" , "vodenicaaaaaaaaaaaaaaa" ]}

mutate {
remove_field => [ "[netflow][dst_locality]", "[netflow][dst_as]", "[netflow][version]", "[netflow][dst_mask_len]", "[netflow][first_switched]", "[netflow][flow_locality]", "[netflow][flow_seq_num]", "[netflow][flow_seq_num]", "[netflow][flowset_id]", "[netflow][last_switched]", "[netflow][flow_seq_num]", "[netflow][flowset_id]", "[netflow][protocol]", "[netflow][src_as]", "[netflow][tcp_flags]", "@version", "[netflow][first_switched]", "[netflow][last_switched]"  ]
add_field => { "SonPen" => "xxx" }
add_field => { "ifDescr.27" => "%{[ifDescr.27]}" }}

output {
file {
path => "/etc/logstash0/py1.out.%{+yyyy.MM.dd.HH}"
#codec => line { format => "custom format: %{message}"}
}

elasticsearch {
hosts => ['xxx:9200','xxx:9200','xxx:9200','xxx:9200']
index => "%{type}-%{+YYYY.MM.dd.HH}"}}
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.