Rename field value of int with string name

John_Lim · June 20, 2019, 9:20pm

Hello all,
Please provide some tips regarding grok mutate issue.

1.) I created a Kibana dashboard but it will make more sense if I can rename the field value. For instance the action type of Web Security Gateway logs shows number (i.e. 0,1,2,3, etc), instead of showing number, how can I convert the value to (0=allowed, 1=denied, etc)..

for example:

filter {
if [type] == "syslog" {
grok {
match => { "message" => ["%{NUMBER:action_type} %{GREEDYDATA:protocol}" ] }
remove_field => "message"
if [action_type] == 0} {
mutate {
replace => [ "action_type", "allowed" ]
}
}
else if [action_type] == 1} {
mutate {
replace => [ "action_type", "denied" ]
.......
.......
}
}
}
}

Badger · June 20, 2019, 9:40pm

The translate filter documentation has an example similar to this. Make sure you read about the override option on that filter.

John_Lim · June 25, 2019, 1:58pm

Thanks, appreciate it....

system · July 23, 2019, 1:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.