Logstash filter on number

kamandohl · March 13, 2020, 8:26am

Trying to filter on an number, in this case 4624, in Logstash. But unable to get it to work. I was able to key off of event.kind, but that is a word and all events have that, so not an option. I have looked for days and unable to find anyone that has had the same issue, but no such luck. Thanks.

Example:

"event": {
    "code": 4624,
    "kind": "event",
    "created": "2020-03-13T08:06:30.606Z",
    "action": "Logon"

Filters I have tried.

if [event][code] == "4624" {
mutate {
  add_tag => [ "testing" ]
  }
}

if "4624" in [event][code] {
  mutate {
    add_tag => [ "testing" ]
  }
}

if [4624] in [event][code] {
    mutate { add_tag => [ "testing" ] }
     } 
    }
if [event][code] =~ "4624" {
mutate {
  add_tag => [ "testing" ]
  }

 if [event][code] =~ 4624 {
          mutate { add_tag => [ "testing" ] }
     }
  }

Badger · March 13, 2020, 5:54pm

Have you tried comparing it to a number?

if [event][code] == 4624 {

kamandohl · April 7, 2020, 10:42am

Badger,

Apolgies, this is how we got it to work.

if [event][kind] == "event" and [event][code] == 4624 {

system · May 5, 2020, 10:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.