I have azure event hub data coming into logstash via the eponymous plugin. I get huge junks of json that contain multiple events which I then have to split into distinct events. Here is a simplified example:
{"records": [
{ "LogicalServerName": "myservername", "SubscriptionId": "mysubid-uuid", "ResourceGroup": "Prod", "time": "2019-02-15T17:44:23.3870000Z", "resourceId": "/SUBSCRIPTIONS/mysubid-uuid/RESOURCEGROUPS/PROD/PROVIDERS/MICROSOFT.SQL/SERVERS/myservername/DATABASES/MASTER", "category": "SQLSecurityAuditEvents", "operationName": "AuditEvent"},
{ "LogicalServerName": "myservername", "SubscriptionId": "mysubid-uuid", "ResourceGroup": "Prod", "time": "2019-02-15T17:44:23.3870000Z", "resourceId": "/SUBSCRIPTIONS/mysubid-uuid/RESOURCEGROUPS/PROD/PROVIDERS/MICROSOFT.SQL/SERVERS/myservername/DATABASES/MASTER", "category": "SQLSecurityAuditEvents", "operationName": "AuditEvent"}
]}
After the split I'm trying to copy the key LogicalServerName into a custom field called sourceHost. This is to normalize the input from a variety of services. Unfortunately, it doesn't seem to work. Records.LogicalServerName has the correct value, but the sourceHost field is just blank.
Here's the filter I'm trying to use:
filter {
if [type] == "azure_event_hub" {
json {
source => "message"
}
split {
field => ["records"]
}
mutate {
# Map the requestHost to a standard hostname field
copy => { "records.LogicalServerName" => "sourceHost" }
}
}
}
What am I missing here?