If in json nested field

probson · January 6, 2021, 1:07pm

Hi,

I am trying to use logstash to create a field of dns.type based on the types within dns.answers. This is from event.code 22 from sysmon.

i have tried:

      if "AAAA" in [dns][answers] {
          mutate {
              add_field => {"[dns][type]" => "AAAA"}
            }
        }

also tried KV with no joy.
Any suggestions

dns.answers
	
{
  "type": "AAAA",
  "data": "2a04:4e42::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:200::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:400::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:600::81"
},
{
  "type": "A",
  "data": "151.101.64.81"
},
{
  "type": "A",
  "data": "151.101.128.81"
},
{
  "type": "A",
  "data": "151.101.192.81"
},
{
  "type": "A",
  "data": "151.101.0.81"
}

aaron-nimocks · January 6, 2021, 1:12pm

Have you tried

if "AAAA" in [dns][answers][type] {

If that doesn't work can you post an example of your data set?

probson · January 6, 2021, 1:50pm

probson:

dns.answers
	
{
  "type": "AAAA",
  "data": "2a04:4e42::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:200::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:400::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:600::81"
},
{
  "type": "A",
  "data": "151.101.64.81"
},
{
  "type": "A",
  "data": "151.101.128.81"
},
{
  "type": "A",
  "data": "151.101.192.81"
},
{
  "type": "A",
  "data": "151.101.0.81"
}

Hi @aaron-nimocks,

sysmon with winlogbeats does not give a [dns][answers][type] only the [dns][answers] as below

dns.answers
	
{
  "type": "AAAA",
  "data": "2a04:4e42::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:200::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:400::81"
},
{
  "type": "AAAA",
  "data": "2a04:4e42:600::81"
},
{
  "type": "A",
  "data": "151.101.64.81"
},
{
  "type": "A",
  "data": "151.101.128.81"
},
{
  "type": "A",
  "data": "151.101.192.81"
},
{
  "type": "A",
  "data": "151.101.0.81"
}

I am trying to end up with the type extracted from that [dns][answers], even if i end up with [dns][answers][type]: AAAA, A

Thanks

ylasri · January 6, 2021, 2:25pm

That will need a ruby filter, try this one

ruby { 
		code => "
				dns_type = event.get('[dns][answers]').find {|h| h['type'] == 'AAAA'}['type'];
				event.set('[dns][type]', dns_type)
				"
	}

ylasri · January 6, 2021, 2:26pm

Check this thread

probson · January 6, 2021, 3:22pm

Hi @ylasri

i removed the =='AAAA' so that it now pulls the type from the array, now need to get it to loop through and append as dns.answers may include multiple types

    ruby { 
		code => "
				dns_type = event.get('[dns][answers]').find {|h| h['type']}['type'];
				event.set('[dns][answers.type]', dns_type)
				"
	    }