I want to use one of the field from the following output in translate filter.
Below is the output looks like.
{
"message" => "May 19 08:27:11 ip-21-54-0-85 openvpn[20191]: kishore.uppala/1.184.195.114:36389 MULTI_sva: pool returned IPv4=12.24.254.14, IPv6=(Not enabled)",
"@version" => "1",
"@timestamp" => "2016-06-03T11:06:08.844Z",
"host" => "ip-21-54-233-31.ec2.internal",
"tags" => [
[0] "GeoIP"
],
"vpc_id" => "vpc-87377fe2",
"region_id" => "US East (N. Virginia)",
"cust_id" => "ACN",
"month" => "May",
"day" => "19",
"time" => "08:27:11",
"hostname" => "ip-10-254-0-85",
"vpn_daemon" => "openvpn",
"vpn_id" => "20191",
"username" => "kishore.uppala",
"public_ip" => "1.184.195.114",
"publicip_port" => "36389",
"vpn_status" => "pool returned",
"vpn_ip" => "12.24.254.14",
"vpn_msg" => "(Not enabled)",
"received_at" => "2016-06-03T11:06:08.844Z",
"received_from" => "ip-21-54-233-31.ec2.internal",
"geoip" => {
"ip" => "1.184.195.114",
"country_code2" => "CN",
"country_code3" => "CHN",
"country_name" => "China",
"continent_code" => "AS",
"region_name" => "30",
"city_name" => "Guangzhou",
"latitude" => 23.11670000000001,
"longitude" => 113.25,
"timezone" => "Asia/Chongqing",
"real_region_name" => "Guangdong",
"location" => [
[0] 113.25,
[1] 23.11670000000001
],
"coordinates" => [
[0] 113.25,
[1] 23.11670000000001
]
}
}
I want to match the field 'country_name' from above output with malicious country list. but unable to query using below field option. ( i have tried with field => "country_name" also )
translate {
field => "geoip.country_name"
destination => "country"
dictionary_path => "/home/ec2-user/malicious"
add_tag => [ "Malicious" ]
}
Kindly help me on this.