kv {
source => "remain"
field_split => ","
value_split => "=" }
mutate {
rename => ["USERNAME", "user.name" ]
}
I am using KV filter to extract fields from 'remain' field , which is working good. But then I want to rename the filed 'USERNAME' which is extracted from the 'remain'
field.
Do you want a period in the field name, or do you want a nested field, which would be [user][name].
What makes you think it is not currently working?
When i renamed the field to 'user.name' no such field is created in elasticsearch
I am trying to map the fields in my logs , with the ECS fields. My logs contain a field 'USERNAME' which i am extracting using KV filter . I want to rename it as 'user.name' so that it populates in the SIEM app of elasticsearch
I have exact same syntax and it works.
how is your output looks like?
I didn't like (y) so I change the name.
mutate { rename => ["hwage(y)","hardwareage_years"] }
It works fine while with grok. But when I use it with KV filter it is not working.
I am extracting 'USERNAME' field using KV filter . Then when I apply mutate to rename it , its not working
Guys please help me find solution.
Thank you @Badger @elasticforme for your response, the syntax was right . Actually my fieldname had space
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.