slinky
November 21, 2016, 2:15pm
1
In the docs there is this replace example:
filter {
Now I wanna do something like this:
filter {
The "as" is a literal string and should form 1 one word with %{autonomous_system_number} (so without a space).
Sample output should be:
When I try my above example approach, the docs will not be indexed.
Depending on your ES release field names can't contain periods. If you want a nested field, i.e.
"autonomous_system": {
"asn": "as1234"
}
in JSON, use the correct syntax for that ([autonomous_system][asn]).
slinky
November 21, 2016, 2:41pm
3
I am using ES5. I changed the config to:
Now it made the index:
I'm guessing ES sees the field as literal because there is no space between "as" and the field.
Any suggestions?
I'm guessing ES sees the field as literal because there is no space between "as" and the field.
No, that has nothing to do with it.
What does your configuration look like? What does an example event look like? Use a stdout { codec => rubydebug } output.
slinky
November 25, 2016, 2:02pm
5
I found out that I was using another wrong JSON nested field syntax in
Changed that also to index => "%{[autonomous_system][asn]} and it worked.
So problem solved. Thanks for the help! What should I do with this topic now?
What should I do with this topic now?
You don't have to do anything.
system
December 23, 2016, 3:02pm
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.