Hello,
i write the following row in pipeline in the filter section:
mutate { add_field => {"parameter" => "{[user][name]}" } }
it do not work. the parameter field is fill with "{[user][name]}" as text and original value is skipped.
By reading doc i notice the parameters belongs to ECS schema, winlog.user.name is an empty field, while user.name report the right data.
Could you help me?
Can you copy your the message field to see what is coming to LS?
Hi Rios,
thank you for your reply.
The 'message' field does not contain the username field; because it only contains the information forwarded by the windows log (winlogbeat), while the 'event.original' field is empty.
The 'user.name' field I believe is added by the Elasticsearch following the Elasticsearch schema and is not referenced anywhere else except in the 'user.name' field, which is different from the 'winlog.user.name' field
The parse of winlogbeat events is made in Elasticsearch using an ingest pipeline, you will not have this field in Logstash, so you cannot use it.
Hi leandrojmp,
thanks for your response.
There is the field "user.name" in elasticsearch, i can see it by Kibana. I need to catch the value using filter section in the logstash pipeline.
Yeah, this field exists in Elasticsearch and you can see it in Kibana because it is create by the Winlogbeat Ingest pipeline, that runs in Elasticsearch, as I mentioned before all the parse for the window event logs is done in Elasticsearch.
You can't because this field does not exist in the event while it is in Logstash it will only be created after the message reaches Elasticsearch and is parsed, and the message will be parsed in Elasticsearch, not in Logstash.
In logstash you have only the raw event, not the parsed event, this only exists in Elasticsearch.
If you want to create new fields based on the parsed fields you will need to do that in Elasticsearch using an ingest pipeline, not on Logstash.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.