{
"_source": {
"notification": {
""eventDescription": "[Monitored alert priority >=4] [***] [https://***] [The application powershell.exe is executing a fileless script or command.] [Incident id: ***] [Threat score: 4] [Group: ******] [Email: ****] [Name: ******] [Type and OS: WINDOWS Windows 10 x64] [Severity: Monitored]\n","
}
}
}
I want parse the data of eventDescription field. Help is needed.
From where you wanted to parse the data ? Can you mention it little bit clearly ..Are you trying to parse the data from elasticsearch to somewhere else ??
Hi,
From logstash.
You can use the kv filter's include_keys option to parse only the particular field from logstash to elastic search .
refer :https://www.elastic.co/guide/en/logstash/6.5/plugins-filters-kv.html
Hope it helps.
@Gmoathi.. Didnt work..
The message is delimited using [ and ], so I would use a dissect filter for that.
@Badger, i will check and get back to you
dissect filter helps me to extract it..
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.