Mutate lowercase filter not been applied

francescouk · December 20, 2019, 5:23pm

Hello there,

Im trying to use the lowercase filter but it seens that is not working. I want to apply the filter on "TargetDomainName" field so the results should be "contoso_rt" instead of "CONTOSO_RT"

Can someone point me what I´m doing wrong?

Here is my config:

if [type] == "eventlog" {  
mutate {
    lowercase => [ "TargetDomainName" ]
}

Debug:

"winlog" => {
        "provider_name" => "Microsoft-Windows-Security-Auditing",
                 "task" => "Logon",
             "keywords" => [
            [0] "Audit Success"
        ],
              "channel" => "Security",
              "event_data" => {
                            "KeyLength" => "0",
                          "ProcessName" => "-",
                            "LogonType" => "3",
                        "LmPackageName" => "-",
                     "TargetDomainName" => "CONTOSO_RT",

Thanks for the attention,

Franthesco Ferrari

Christian_Dahlqvist · December 20, 2019, 5:54pm

It looks like the field is not at the root, so you need to specify it fully, e.g. lowercase => [ "[winlog][event_data][TargetDomainName]" ].

francescouk · December 20, 2019, 7:00pm

Wow!!! You just saved my day!!!! Thanks for your help!!

system · January 17, 2020, 7:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mutate Lowercase Issue Logstash	5	844	June 24, 2021
Logstash - Mutate lowercase doesn't work with filed name Logstash	2	634	June 23, 2020
Convert Packetbeat Field Contents to Lowercase Logstash	9	274	May 14, 2021
Convert uppercase in lowercase Logstash	13	14725	July 20, 2017
Logstash output to Elasticsearch name index based on field? Logstash	12	2691	March 23, 2021

Mutate lowercase filter not been applied

Related Topics