Hello there,
Im trying to use the lowercase filter but it seens that is not working. I want to apply the filter on "TargetDomainName" field so the results should be "contoso_rt" instead of "CONTOSO_RT"
Can someone point me what I´m doing wrong?
Here is my config:
if [type] == "eventlog" {
mutate {
lowercase => [ "TargetDomainName" ]
}
Debug:
"winlog" => {
"provider_name" => "Microsoft-Windows-Security-Auditing",
"task" => "Logon",
"keywords" => [
[0] "Audit Success"
],
"channel" => "Security",
"event_data" => {
"KeyLength" => "0",
"ProcessName" => "-",
"LogonType" => "3",
"LmPackageName" => "-",
"TargetDomainName" => "CONTOSO_RT",
Thanks for the attention,
Franthesco Ferrari