Logstash - Nested fields?

SaraC · March 10, 2021, 6:00pm

Hi,

I have the following sample of log:

{
    "@timestamp": "2021-03-10T17:30:58.899Z",
    "@version": "1",
    "Actor": [
        {
            "ID": "Microsoft Intune",
            "Type": 1
        },
        {
            "ID": "0000000a-0000-0000-c000-000000000000",
            "Type": 2
        },
        {
            "ID": "00000000000000000000000000000000000000000000000000000",
            "Type": 2
        },
        {
            "ID": "000000000000000000000000000000000000",
            "Type": 2
        },
        {
            "ID": "ServicePrincipal",
            "Type": 2
        }
    ],
    "ActorContextId": "000000000000000000000000000000000000",
}

And I want to drop all the logs that have "Microsoft Intune" as [Actor][ID].

I tried different ways through filter but nothing worked:
if [Actor.ID] == "Microsoft Intune" { drop{} }
or
if [Actor][ID] == "Microsoft Intune" { drop{} }
or
if "Microsoft Intune" in [Actor.ID] { drop{} }

Someone can help me?

Thanks,
Sara

Badger · March 10, 2021, 6:15pm

I think you would have to use ruby to do that

filter {
    ruby {
        code => '
            actor = event.get("Actor")
            if actor.is_a? Array
                actor.each { |x|
                    if actor["ID"] == "Microsoft Intune"
                        event.cancel
                    end
                }
            end
        '
    }
}

SaraC · March 10, 2021, 6:31pm

Hi @Badger,

thanks for reply. If I would add a field, for example:
drop:yes
how could the code change?

Anyway I tried to change my pipeline but I obtain the following error:
[ERROR][logstash.filters.ruby ] Ruby exception occurred: no implicit conversion of String into Integer

Badger · March 10, 2021, 7:10pm

That should be if x["ID"] == "Microsoft Intune". actor is an array, so it has to be indexed using an integer. x is a hash, so it is indexed using a key.

I do not understand your question about adding a field.

SaraC · March 10, 2021, 7:47pm

Instead of directly deleting the log whose ID field was "Microsoft Intune", I thought of "marking" it with a drop field.
How can I do it in ruby?

Badger · March 10, 2021, 7:49pm

Use the event api

event.set("drop", true)

SaraC · March 11, 2021, 10:51am

Thank you very much @Badger
With your solution I solved my issue.

system · April 8, 2021, 10:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.