How can I find some designated value after using split

Elastic Stack Logstash
1

Hi there,
I have a filed looks like this format on kibana:
flow.tcp_flags : SYN, RST, PSH, ACK
I want to split each type, so I will do

fliter {
  mutate {
    split => ["[flow][tcp_flags]", ","]
  }
}

after this, I think data will like this:

    "flow.tcp_flags" => [
      [0] "SYN"
      [1] "RST"
      [2] "PSH"
      [3] "ACK"
    ]

can I find designated value after split?
I want to do like

    fliter {
      if "SYN" in [flow][tcp_flags] {
        mutate {
          add_field => {
            "has_syn" => "true"
          }
        }
      }
    }

Does somebody know how to do this?
Thanks
Kase

2

I would expect exactly what you have written to work if you add

mutate { strip => [ "[flow][tcp_flags]" ] }

to remove the leading whitespace after the split.

3

Hi @Badger,
thanks to your answer, I will try it.
so

    fliter {
      if "SYN" in [flow][tcp_flags] {
        mutate {
          add_field => {
            "has_syn" => "true"
          }
        }
      }
    }

can works as I expected?

4

I have tried this, it can works as I expected, but I also have another question, in my logstash config file, my input is elasticsearch, out is redis, so format is like:

input {
  elasticsearch {
    ....
  }
}

filter {
...
}

output {
...
}

I found that field I add in filter, will actually add in input elasticsearch, is that normal?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.