Tim_Rice
March 22, 2019, 10:46pm
1
Hello,
I have a ingest pipeline that does two things. It basically leverages kv and it applies geo info to a field.
PUT _ingest/pipeline/mitresplit
{
"description": "splits technique_name and technique_id",
"processors": [
{
"kv": {
"field": "sfRuleName",
"field_split": ",",
"value_split": "="
},
"geoip": {
"field": "sfDestinationIp",
"target_field": "geo"
}
}
]
}
And apply the pipeline
PUT winlogbeat-*/_settings
{
"index.default_pipeline":"_default"
}
What I have figured out is if the document is sent in does NOT contain one of the field names, then it just dies.
How can I skin this cat? If either of the fields are missing, I want things to continue to work.
Tim_Rice
March 22, 2019, 11:07pm
2
I think that I have figured it out by leveraging the below:
PUT _ingest/pipeline/mitresplit
{
"description": "splits technique_name and technique_id",
"processors": [
{
"kv": {
"field": "event_data.RuleName",
"field_split": ",",
"value_split": "=",
"ignore_failure" : true
},
"geoip": {
"field": "event_data.DestinationIp",
"ignore_failure" : true,
"target_field": "geo"
}
}
]
}
PUT winlogbeat-*/_settings
{
"index.default_pipeline":"mitresplit"
}
Which version of Elasticsearch are you using?
Tim_Rice
March 23, 2019, 11:55am
4
6.6.0.
BTW, the
"ignore_failure" : true
Seems to have fixed the issue, but I don't like failures. It would be better (I think) to have a conditional statement that says, if field exists then do.
Thanks for the help.
Can you not use a conditional ?
system
April 20, 2019, 2:19pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.