If in json nested field

probson · January 6, 2021, 1:07pm

Hi,

I am trying to use logstash to create a field of dns.type based on the types within dns.answers. This is from event.code 22 from sysmon.

i have tried:

      if "AAAA" in [dns][answers] {
          mutate {
              add_field => {"[dns][type]" => "AAAA"}
            }
        }

also tried KV with no joy.
Any suggestions

dns.answers
	
{
  "type": "AAAA",
  "data": "2a04:4e42::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:200::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:400::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:600::81"
},
{
  "type": "A",
  "data": "151.101.64.81"
},
{
  "type": "A",
  "data": "151.101.128.81"
},
{
  "type": "A",
  "data": "151.101.192.81"
},
{
  "type": "A",
  "data": "151.101.0.81"
}

aaron-nimocks · January 6, 2021, 1:12pm

Have you tried

if "AAAA" in [dns][answers][type] {

If that doesn't work can you post an example of your data set?

probson · January 6, 2021, 1:50pm

probson:

dns.answers
	
{
  "type": "AAAA",
  "data": "2a04:4e42::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:200::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:400::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:600::81"
},
{
  "type": "A",
  "data": "151.101.64.81"
},
{
  "type": "A",
  "data": "151.101.128.81"
},
{
  "type": "A",
  "data": "151.101.192.81"
},
{
  "type": "A",
  "data": "151.101.0.81"
}

Hi @aaron-nimocks,

sysmon with winlogbeats does not give a [dns][answers][type] only the [dns][answers] as below

dns.answers
	
{
  "type": "AAAA",
  "data": "2a04:4e42::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:200::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:400::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:600::81"
},
{
  "type": "A",
  "data": "151.101.64.81"
},
{
  "type": "A",
  "data": "151.101.128.81"
},
{
  "type": "A",
  "data": "151.101.192.81"
},
{
  "type": "A",
  "data": "151.101.0.81"
}

I am trying to end up with the type extracted from that [dns][answers], even if i end up with [dns][answers][type]: AAAA, A

Thanks

ylasri · January 6, 2021, 2:25pm

That will need a ruby filter, try this one

ruby { 
		code => "
				dns_type = event.get('[dns][answers]').find {|h| h['type'] == 'AAAA'}['type'];
				event.set('[dns][type]', dns_type)
				"
	}

ylasri · January 6, 2021, 2:26pm

Check this thread

probson · January 6, 2021, 3:22pm

Hi @ylasri

i removed the =='AAAA' so that it now pulls the type from the array, now need to get it to loop through and append as dns.answers may include multiple types

    ruby { 
		code => "
				dns_type = event.get('[dns][answers]').find {|h| h['type']}['type'];
				event.set('[dns][answers.type]', dns_type)
				"
	    }

system · February 3, 2021, 3:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If conditional on nested field with IP address Logstash	10	3724	April 21, 2020
Filter to add fiels of on nested JSON name value fields Logstash	5	602	April 27, 2022
If statement not work Logstash	7	256	August 5, 2022
Kibana displays JSON field with "?" in front, but its searchable and acts like seperate fields Kibana	3	307	July 26, 2019
Help with logstash json output to split a field in multiple variables and combine them to a new field Logstash	12	2462	April 6, 2018

If in json nested field

Related topics