Hi,
In the ingestion pipelines tab that I created and tested the dissect , how can I index it since it changes daily, in the index file I can see that the pipeline is as default, how can I change this default to the pipeline name I want
The log
<116>2022-10-17T19:37:22.898Z 1.1.1.1 : McAfee;7FA7:AED1;NEC - Sev >= 11;Line 1;Alarm: Nec - Sev >= 30|Trigger Date:11/11/1111 16:37:11|Rule Name:Login - Rule name|First Time: 10/17/2023 16:20:19|Last Time: 11/11/11116:28:33|Summary: Field match alarm triggered on Correlation Engine|Source IP: 1.1.1.1|Destination IP: ::|Severity: Severity not yet calculated|Event Count: 5|Source User:cd_053_00|Normalized ID: 123|EventID: 123|123>
My parse in ingest
[
{
"dissect": {
"field": "message",
"pattern": "<%{case.number}>%{@timestamp} %{ip.reporting} : %{tool.name};%{tool.id};NEC - Sev %{severity.modifier} %{severity.rating};Line %{tool.line};Alarm: NEC - Sev %{alarm.modifier} %{alarm.rating}|Trigger Date: %{trigger.date}|Rule Name:%{rule.descryption}|First Time: %{happen.first}|Last Time: %{happen.last}|Summary: %{summary}|Source IP: %{ip.source}|Destination IP: %{ip.destination}|Severity: %{severity.rank}|Event Count: %{event.count}|Source User:%{user.source}|Normalized ID: %{id.normalized}|EventID: %{id.event}|%{id.code}"
}
},
{
"remove": {
"field": "message"
}
}
]This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.