I've got a filter that I'm trying to add to a log stash instance that is receiving netflow data. I am trying to test the value of the field "netflow.protocol" and then based on that add a string literal for the type of protocol that it is. I've tried many combinations, but nothing seems to work.
My filter looks like this.
filter {
if [netflow.protocol] == "6" {
mutate {
add_field => { "netflow.protocol_type" => "TCP" }
}
}
}
I'm sure I've got something slightly wrong here and would appreciate feedback from the community. Thanks!