Multi_fields rename problem

abu.sayeed · January 7, 2018, 9:55am

MY Logformat:
computer_name NAZ-TECH-PC-005.NTDAC.nazdaqTechnologies.local
event_data.TargetServerName VNTDACWSPRP001.NTDAC.nazdaqTechnologies.local
event_data.SubjectUserName Jhon
event_data.TargetUserName Tom

filter {
if [type] == "wineventlog" {
mutate {
remove_field => [ "tags", "opcode", "version", "beat", "message"]
}
mutate {
rename => [ "event_data.TargetServerName", "Target_fqdn" ]
rename => [ "computer_name", "source_fqdn" ]
rename => [ "event_data.TargetUserName", "Target_user" ]
rename => [ "data.SubjectUserName", "source_user" ]
}
}

}

source_fqdn NAZ-TECH-PC-005.NTDAC.nazdaqTechnologies.local
event_data.TargetServerName VNTDACWSPRP001.NTDAC.nazdaqTechnologies.local
event_data.SubjectUserName Jhon
event_data.TargetUserName Tom

Please help me to rename event_data. field name

magnusbaeck · January 7, 2018, 4:25pm

You're using the wrong syntax for addressing nested fields, see https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.

abu.sayeed · January 8, 2018, 5:28am

Thanks problem solve

system · February 5, 2018, 5:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.