Mutate lowercase filter not been applied

francescouk · December 20, 2019, 5:23pm

Hello there,

Im trying to use the lowercase filter but it seens that is not working. I want to apply the filter on "TargetDomainName" field so the results should be "contoso_rt" instead of "CONTOSO_RT"

Can someone point me what I´m doing wrong?

Here is my config:

if [type] == "eventlog" {  
mutate {
    lowercase => [ "TargetDomainName" ]
}

Debug:

"winlog" => {
        "provider_name" => "Microsoft-Windows-Security-Auditing",
                 "task" => "Logon",
             "keywords" => [
            [0] "Audit Success"
        ],
              "channel" => "Security",
              "event_data" => {
                            "KeyLength" => "0",
                          "ProcessName" => "-",
                            "LogonType" => "3",
                        "LmPackageName" => "-",
                     "TargetDomainName" => "CONTOSO_RT",

Thanks for the attention,

Franthesco Ferrari

Christian_Dahlqvist · December 20, 2019, 5:54pm

It looks like the field is not at the root, so you need to specify it fully, e.g. lowercase => [ "[winlog][event_data][TargetDomainName]" ].

francescouk · December 20, 2019, 7:00pm

Wow!!! You just saved my day!!!! Thanks for your help!!

system · January 17, 2020, 7:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.