Only String and Array types are splittable

Elastic Stack Logstash
1

Or more specifically:

logstash.filters.split ] Only String and Array types are splittable. field:event_data.MemberName is of type = NilClass

Hi,

So, I'd like to extract the contents of the string field called: field:event_data.MemberName that is returned from a Winlogbeat.
The string currently reads in the format of:

CN=John Doe,OU=ACME,OU=Users,OU=8,OU=Paris,OU=FR,DC=mybigdomain,DC=com

The goal is to create 3 new fields and extract the certain contents of the string to populate those fields.

The relevant snippet of code I am using (and failing with) is as follows below. As the comments in the code seem to cause the format to become corrupted in the post, a quick summary of what I'm trying to do is:

If the field named event_data.MemberName isn't empty, mutate the event_data.MemberName field (this is my attempt to rid myself of the failure shown at the top of this post.
I'm then trying to split the field event_data.MemberName into an array called dn.
Then I want to reference the 3rd from last array member (in this case the country), and drop it into a new field called 'Country"

I'm just not sure where this is failing as the event_data.MemberName is defined as a string in Kibana when examining the index itself and I'm force converting it to a string even if it's not within Logstash.

filter {
if 'dcs' in [tags] {
    		if ([event_data.MemberName] != "") {
    		
    		mutate {
		    convert => { "event_data.MemberName" => "string" }
    		}
    				
    		split{
    		field => "event_data.MemberName"
    		target => "dn"
    		terminator => ","
		    add_field => { "country" => "%{[dn][-3]}" }
			 
			}

Anything obvious I'm missing?

Thanks.

2

Only String and Array types are splittable. field:event_data.MemberName is of type = NilClass

This typically indicates that you're trying to split a field that does exist.

		if ([event_data.MemberName] != "") {

That's not the correct syntax for referencing nested fields; see Accessing event data and fields | Logstash Reference [8.11] | Elastic.

3

Hi Magnus,

Thanks for the reply. I started down that path of referencing the field components but failed as I can't understand how to reference a specific field that has the same name as another element within it's parent.

For example, from the example docs:

{
  "agent": "Mozilla/5.0 (compatible; MSIE 9.0)",
  "ip": "192.168.24.44",
  "request": "/index.html"
  "response": {
    "status": 200,
    "bytes": 52353
  },
  "ua": {
    "os": "Windows 7"
  }
}

To reference the "os" field, you'd use [ua] [os]. This example expects each field to have a different name. So how would I use this process to reference something like this:

CN=John Doe,OU=ACME,OU=Users,OU=8,OU=Paris,OU=FR,DC=mybigdomain,DC=com

If I want to extract the country for example, how can I use event_data.MemberName? - I'm thinking:

[event_data.MemberName] [OU] or [event.data] [OU]

I don't see any way of targeting the specific OU that contains the country though.

4

Oh, I see what you're trying to do. The split filter doesn't do what you think it does. You can try using the mutate filter's split option which splits a string into an array (rather than splicing a single event into multiple events) but I don't know if negative array indexes work. Another option is using a grok filter.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.