How to use custom field in dns filter?

Wind2dk · February 25, 2019, 11:17am

I'm working on a filter to resolve hostnames in ip fields. Since there is multiple ip fields, i've added a metadata field, that i can later use to resolve the actual field.

If i use resolve => "ip_field_1" it correctly resolves the hostname to an ip, but when i try to use the value from the field, it fails to resolve the hostname.

filter {
mutate { add_field => { "[@metadata][ip_field]" => "ip_field_1" } }

if [@metadata][ip_field] {
dns {
nameserver => [ "8.8.8.8" ]
resolve => [ "[@metadata][ip_field]" ]
action => "replace"
hit_cache_ttl => 3540
hit_cache_size => 1000000
failed_cache_ttl => 10
failed_cache_size => 1000000
timeout => 2
}
}
}

Added after edit:
What i want to accomplish is the following without using 100 lines of code..

filter {
if [ip_field_1] {
dns {
nameserver => [ "8.8.8.8" ]
resolve => "ip_field_1"
action => "replace"
hit_cache_ttl => 3540
hit_cache_size => 1000000
failed_cache_ttl => 10
failed_cache_size => 1000000
timeout => 2
}
}
if [ip_field_2] {
dns {
nameserver => [ "8.8.8.8" ]
resolve => "ip_field_2"
action => "replace"
hit_cache_ttl => 3540
hit_cache_size => 1000000
failed_cache_ttl => 10
failed_cache_size => 1000000
timeout => 2
}
}
if [ip_field_3] {
.....
}

Badger · February 25, 2019, 1:55pm

logstash does not support this kind of indirection. But you could something like this to copy the field to a fixed field name.

    ruby {
        code => '
            fieldname = event.get("[@metadata][ip_field]")
            if fieldname then
                fieldvalue = event.get(fieldname)
                if fieldvalue then
                    event.set("[@metadata][ip]", fieldvalue)
                end
            end
        '
    }

system · March 25, 2019, 1:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.