Logstash-iterating through array field with specific action for every value

Jan_Kabelka · April 9, 2021, 11:33am

Hi,logstash wizards! I suppose ruby must be used for what I need but I tried many many ways with no success:( I parse DNS responses on Logstash and as a result I have field below with array of values:

    {"dns": {
          "answers": {
            "data": [
              "apple.com.akadns.net",
              "17.57.146.53",
              "17.57.146.52",
              "17.57.146.68",
              "17.57.146.69"
            ]
    }

This field is-of course-data type of text. I would need to copy only IP addresses from this array (eg thanks to regex \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) and save them to new array field with data type of IP. Result should look like:

{"dns": {
      "answers": {
        "data_ip": [
          "17.57.146.53",
          "17.57.146.52",
          "17.57.146.68",
          "17.57.146.69"
        ]
}

Then I would need to use geoip plugin and store ASN numbers, company name etc for every IP address from field [dns][answer][data_ip] to new array field. Result should look like:

{"dns": {
      "answers": {
        "data_geo_asn": [
          "714",
          "714",
          "714",
          "714"
        ]
}

{"dns": {
      "answers": {
        "data_geo_company": [
          "Apple",
          "Apple",
          "Apple",
          "Apple"
        ]
}

Used geoip plugin should look similarly like:

    geoip {
      database => "/etc/logstash/conf.d/GeoIP2-ISP.mmdb"
      source => "[dns][answer][data_ip]"
      target => "[dns][answer][data_geo]"
      tag_on_failure => ["_geoip_asn_lookup_failure"]
      }

Really appreciate any help! Jan

Badger · April 9, 2021, 3:40pm

This part is fairly simple. Something like this (which I have not tested):

ruby {
    code => '
        data = event.get("[dns][answers][data]")
        if data
            event.set("[dns][answers][data_ip]", data.delete_if { |x| ! x.match(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) } )
        end
    '
}

However, if passed an array a geoip filter only parses the first entry. One possibility would be to split on the data_ip array so that you have multiple events, call geoip, then aggregate them. Something similar to this.

system · May 7, 2021, 3:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Creating an array of values from a combination of range and list values Logstash	4	652	August 16, 2019
Array field in event Logstash	6	2695	January 6, 2017
Array values into single field Logstash	2	457	February 24, 2021
Filtering on nested json fields of varying length Logstash	4	376	April 24, 2020
Using Arrays in Logstash Logstash	2	838	July 6, 2017

Logstash-iterating through array field with specific action for every value

Related topics