My translate config isn't working

jhashman · February 1, 2018, 8:40pm

filter {
if [eventlog_category] == "Directory Service Changes" {
	ruby {
		code => "event.set('gpo_guid', event.get('ObjectDN')[4..39])"
	}
	translate {
		field => "gpo_guid"
		destination => "gpo_name"
		dictionary_path => "D:/ELK/logstash-5.6.5/yaml/gpo_guid.yaml"
	}
}

}

The config above for translate is not creating the new field gpo_name any ideas why? I don't see any errors in the logstash log and I do see that logstash is periodically refreshing the dictionary file.

An example entry in gpo_guid.yaml is below:

"edf5c692-6005-4899-af86-41b3f36545f0" : "Copy of MS_Office_2000"

warkolm · February 1, 2018, 8:50pm

Is it pulling the gpo_guid field from the event?

jhashman · February 2, 2018, 4:18am

Yep it is pulling the gpo_guid field and adding it to the index. It shows up unquoted.

edf5c692-6005-4899-af86-41b3f36545f0

system · March 2, 2018, 4:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.