Remove Value in Logstash

Krunal_kalaria · February 9, 2018, 6:09am

Hello Everyone,

I need to remove fields value because its duplicate i have following configuration file and output

Symantec.conf

input
{
stdin{}
}

filter
{
csv
{
separator => ","
columns => ["Event Time", "Severity", "Host Name", "SHA-256", "MD-5", "Local Host IP", "Local Port", "Local Host MAC", "Remote Host IP", "Remote Host Name", "Remote Port", "Remote Host MAC", "Network Protocol", "Traffic Direction", "Begin Time", "End Time", "Occurrences", "Application Name", "Rule Name", "Location", "User Name", "Domain Name", "Action"]

	skip_empty_columns => false
}

}

output
{
elasticsearch
{
hosts => ["localhost:9200"]
index => "sym"
user => "elastic"
password => "changeme"
}
stdout { codec => rubydebug }
}

And i got this output:

{
"Local Host IP" => "Local: 0.0.0.0",
"Action" => "Action: Blocked",
"Remote Host MAC" => "Remote: 33330000000C",
"Occurrences" => "Occurrences: 1",
"Remote Port" => "Remote: 1900",
"Remote Host Name" => "Remote: ",
"@version" => "1",
"host" => "WIN-9CVTF5K10N9",
"Rule Name" => "Rule: Block all other IP traffic and log",
"MD-5" => "MD-5: ",
"Application Name" => "Application: ",
"End Time" => "End: 2018-02-06 17:42:06",
"Event Time" => "2018-02-06 17:43:11",
"User Name" => "User: krunalkalaria",
"Network Protocol" => "UDP",
"Local Port" => "Local: 64491",
"Severity" => "Info",
"Traffic Direction" => "Outbound",
"Host Name" => "KRUNALLAPTOP",
"message" => "2018-02-06 17:43:11,Info,KRUNALLAPTOP,SHA-256: ,MD-5: ,Local: 0.0.0.0,Local: 64491,Local: 0A
0027000016,Remote: 0.0.0.0,Remote: ,Remote: 1900,Remote: 33330000000C,UDP,Outbound,Begin: 2018-02-06 17:42:06,End: 2018-
02-06 17:42:06,Occurrences: 1,Application: ,Rule: Block all other IP traffic and log,Location: Default,User: krunalkalar
ia,Domain: GOOGLE,Action: Blocked\r",
"Local Host MAC" => "Local: 0A0027000016",
"Remote Host IP" => "Remote: 0.0.0.0",
"Begin Time" => "Begin: 2018-02-06 17:42:06",
"@timestamp" => 2018-02-09T05:48:13.183Z,
"SHA-256" => "SHA-256: ",
"Location" => "Location: Default",
"Domain Name" => "Domain: GOOGLE"
}

Its Parse Perfectly But that Bold Line in this i want to remove value like

Local Host Mac => Local:0A0027000016 so i want to remove Local from the value

Thanks & Regards,
Krunal.

magnusbaeck · February 9, 2018, 7:34am

Use a mutate filter and its gsub option.

Krunal_kalaria · February 9, 2018, 10:18am

Thanks for response @magnusbaeck how to use that i don't know in my case ill try but its not working if you have that solution can you give me some specific field.

magnusbaeck · February 9, 2018, 10:28am

What have you tried?

Krunal_kalaria · February 9, 2018, 10:29am

same as mutate gsub example because i dont understand where i need to change so please you can give me one command so i do it.

system · March 9, 2018, 10:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.