Hello.
I now have an index on elasticsearch after converting the pcap file to json.
One of the protocols has a full name of "s7comm-plus", but only "plus" is visible in the index.
The other protocols look correctly.
My logstash fileter is below.
grok {
match => {
"[layers] [frame] [frame_frame_protocols]" => "% {WORD: protocol} $"
}
}
How can I change the logstash filter or elasticsearch?
Update: I just realized this is a logstash question and I answered with an Elasticsearch example. The core of it however is still true and you need to change your pattern type. I also moved this to the logstash forum.
Take this example
POST /_ingest/pipeline/_simulate
{
"pipeline": {
"description": "_description",
"processors": [
{
"grok": {
"field": "input",
"patterns": [
"%{WORD:output}"
]
}
}
]
},
"docs": [
{
"_index": "index",
"_id": "id",
"_source": {
"input": "s7comm-plus"
}
}
]
}
when running this, you will see that the output only contains s7comm, as the dash is a word boundary. You could try sth like USER instead of WORD and see if that works, as that one includes a dash. You could also come up with your own pattern using a better name 
Thank you for replying.
I solved this problem by using 'if' statements in the logstash config file.
Thank you and have a great day
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.