Logstash field:
"keywords" => [
[0] "Audit Success"
]
I wish:
"keywords" => "Audit Success"
How was this field created? Showing your current configuration is probably helpful.
filter {
if [type] == "wineventlog" {
ruby {
code => "
event.get('event_data').each {|k, v|
event.set(k, v)
}
event.remove('event_data')
"
}
mutate {
rename => [ "[host][name]", "hostname" ]
rename => [ "[user][identifier]", "user_identifier" ]
rename => [ "[user][type]", "user_type" ]
rename => [ "[user][domain]", "user_domain" ]
rename => [ "[user][name]", "user.name" ]
}
mutate {
remove_field => [ "tags", "opcode", "@version", "beat", "message", "LogonGuid", "ProcessId", "ProcessName", "SubjectLogonId", "SubjectUserSid", "TargetInfo", "TargetLogonGuid", "activity_id", "event_id", "opcode", "process_id", "provider_guid", "record_number", "param10", "param11", "param2", "param4", "param5", "param8", "thread_id", "param7", "LmPackageName", "PrivilegeList", "IpPort", "ImpersonationLevel", "KeyLength", "TransmittedServices", "TargetLogonId", "TargetUserSid", "host" ]
}
}
}
available fields like:
"keywords" => [
[0] "Download",
[1] "Started"
],
I wish:
keywords_Download => 0
keywords_Download_started => 1
How can split those fields?
Thank You.Okay. And keywords is initially [event_data][keywords]? Changing event.set(k, v) to event.set(k, v[0]) will extract the first element of the array, but it assumes that all values in event_data are arrays which might not be true. You can use a conditional to check the type of v and only access the first array element if v actually is an array.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.