Hello all,
Please provide some tips regarding grok mutate issue.
1.) I created a Kibana dashboard but it will make more sense if I can rename the field value. For instance the action type of Web Security Gateway logs shows number (i.e. 0,1,2,3, etc), instead of showing number, how can I convert the value to (0=allowed, 1=denied, etc)..
for example:
filter {
if [type] == "syslog" {
grok {
match => { "message" => ["%{NUMBER:action_type} %{GREEDYDATA:protocol}" ] }
remove_field => "message"
if [action_type] == 0} {
mutate {
replace => [ "action_type", "allowed" ]
}
}
else if [action_type] == 1} {
mutate {
replace => [ "action_type", "denied" ]
.......
.......
}
}
}
}