How to change client_ip into a custom name in ELK Stack

fernando974 · August 1, 2018, 11:26am

Hello,

I am learning to use ELK Stack and i would like to know how to change the value of a fields in kibana.
I am currently using packetbeat which analyze the traffic on the network in real time with a port mirroring which send the data first to logstash then to elasticsearch and finally to kibana.

I am getting the right client_ip but i want to change it to get custom name for each client who are connected in kibana visualization

I am using ELK stack in version 6.3
My network using a proxy btw

Thanks.

Ps: Sorry for my english i'm french !

tsullivan · August 1, 2018, 8:23pm

In your data pipeline, since you have Packetbeat sending to Logstash, perhaps you could add the rules for processing the data using filters in the Logstash configuration. That would be the top recommendation: prepare the data as needed before it gets indexed into Elasticsearch, and then you have have it in your index mapping.

See https://www.elastic.co/guide/en/logstash/current/filter-plugins.html - there are a ton of filter options and one of them should be suitable for what you need.

fernando974 · August 2, 2018, 7:10am

Yep found it thanks i should have been more careful :

filter {
if ([client_ip] == "192.168.1.1") {
mutate {
replace => {
"[client_ip]" => "PC1"
}
}
}
else if ([client_ip] == "192.168.1.2") {
mutate {
replace => {
"[client_ip]" => "PC2"
}
}
}
else if ([client_ip] == "192.168.1.3") {
mutate {
replace => {
"[client_ip]" => "PC3"
}
}
}

tsullivan · August 2, 2018, 5:37pm

Awesome! Glad it worked.

system · August 30, 2018, 5:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.