Hi There!
I have a question about WinlogBeat. Is there any way to display the "level" field in the EventLog as a numeric value? When I search for the data in Elasticsearch the value of the level field is always displayed write out.
Is there any way to display the original value of the level field? Like in this example "4".
Regards.
No, this isn't configurable. Winlogbeat always reports the rendered level string. And even if it can't get a rendered string it has a fallback to map the number to the names a specified in this table.
You could use Logstash to translate the values to numbers. It may not work for all level values if some app creates their own.
filter {
translate {
field => "Level",
destination => "LevelRaw",
dictionary => [ "Critical", 1,
"Error", 2,
"Warning", 3,
"Verbose", 4 ]
}
}
Or you could send the raw XML to Logstash to grok the <LevelRaw>1</LevelRaw> value. I'm guessing this will be kind of expensive, but for low event volumes it's probably fine.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.