Logstash filter on number

kamandohl · March 13, 2020, 8:26am

Trying to filter on an number, in this case 4624, in Logstash. But unable to get it to work. I was able to key off of event.kind, but that is a word and all events have that, so not an option. I have looked for days and unable to find anyone that has had the same issue, but no such luck. Thanks.

Example:

"event": {
    "code": 4624,
    "kind": "event",
    "created": "2020-03-13T08:06:30.606Z",
    "action": "Logon"

Filters I have tried.

if [event][code] == "4624" {
mutate {
  add_tag => [ "testing" ]
  }
}

if "4624" in [event][code] {
  mutate {
    add_tag => [ "testing" ]
  }
}

if [4624] in [event][code] {
    mutate { add_tag => [ "testing" ] }
     } 
    }
if [event][code] =~ "4624" {
mutate {
  add_tag => [ "testing" ]
  }

 if [event][code] =~ 4624 {
          mutate { add_tag => [ "testing" ] }
     }
  }

Badger · March 13, 2020, 5:54pm

Have you tried comparing it to a number?

if [event][code] == 4624 {

kamandohl · April 7, 2020, 10:42am

Badger,

Apolgies, this is how we got it to work.

if [event][kind] == "event" and [event][code] == 4624 {

system · May 5, 2020, 10:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter not working. Probably my fault :D Logstash	5	975	November 28, 2017
Logstash Filter to drop Beats events Logstash	2	256	September 19, 2019
Logstash - Comparing two fields Logstash	3	1295	May 10, 2017
Logstash filter with regex Logstash	1	418	April 28, 2020
Logstash Filter for Specific Winlogs Value Logstash	4	413	November 21, 2019

Logstash filter on number

Related topics