How to extract the data?

yuva_rajan · April 24, 2019, 4:47am

Below is the data in json

{
"_source": {
"notification": {
""eventDescription": "[Monitored alert priority >=4] [***] [https://***] [The application powershell.exe is executing a fileless script or command.] [Incident id: ***] [Threat score: 4] [Group: ******] [Email: ****] [Name: ******] [Type and OS: WINDOWS Windows 10 x64] [Severity: Monitored]\n","
}
}
}

I want parse the data of eventDescription field. Help is needed.

Gomathi_Meena · April 24, 2019, 5:10am

From where you wanted to parse the data ? Can you mention it little bit clearly ..Are you trying to parse the data from elasticsearch to somewhere else ??

yuva_rajan · April 24, 2019, 5:31am

Hi,

From logstash.

Gomathi_Meena · April 24, 2019, 5:41am

You can use the kv filter's include_keys option to parse only the particular field from logstash to elastic search .
refer :https://www.elastic.co/guide/en/logstash/6.5/plugins-filters-kv.html
Hope it helps.

yuva_rajan · April 24, 2019, 9:14am

@Gmoathi.. Didnt work..

Badger · April 24, 2019, 1:30pm

The message is delimited using [ and ], so I would use a dissect filter for that.

yuva_rajan · April 25, 2019, 9:11am

@Badger, i will check and get back to you

yuva_rajan · April 27, 2019, 10:47am

dissect filter helps me to extract it..

system · May 25, 2019, 10:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.