How can I find some designated value after using split

kase · June 20, 2020, 8:27am

Hi there,
I have a filed looks like this format on kibana:
flow.tcp_flags : SYN, RST, PSH, ACK
I want to split each type, so I will do

fliter {
  mutate {
    split => ["[flow][tcp_flags]", ","]
  }
}

after this, I think data will like this:

    "flow.tcp_flags" => [
      [0] "SYN"
      [1] "RST"
      [2] "PSH"
      [3] "ACK"
    ]

can I find designated value after split?
I want to do like

    fliter {
      if "SYN" in [flow][tcp_flags] {
        mutate {
          add_field => {
            "has_syn" => "true"
          }
        }
      }
    }

Does somebody know how to do this?
Thanks
Kase

Badger · June 20, 2020, 3:47pm

I would expect exactly what you have written to work if you add

mutate { strip => [ "[flow][tcp_flags]" ] }

to remove the leading whitespace after the split.

kase · June 22, 2020, 12:38am

Hi @Badger,
thanks to your answer, I will try it.
so

    fliter {
      if "SYN" in [flow][tcp_flags] {
        mutate {
          add_field => {
            "has_syn" => "true"
          }
        }
      }
    }

can works as I expected?

kase · July 1, 2020, 1:32am

I have tried this, it can works as I expected, but I also have another question, in my logstash config file, my input is elasticsearch, out is redis, so format is like:

input {
  elasticsearch {
    ....
  }
}

filter {
...
}

output {
...
}

I found that field I add in filter, will actually add in input elasticsearch, is that normal?

Topic		Replies	Views
Logstash split String Logstash	2	5906	June 6, 2017
Logstash. Mutate's split doesn't split string Logstash	2	403	August 27, 2021
Split message logstash elasticsearch Logstash	3	727	March 8, 2022
Logstash filter not able to split Logstash	4	1033	July 6, 2017
Split json Logstash	2	256	April 22, 2020

How can I find some designated value after using split

Related topics