Rename field

abu.sayeed · January 24, 2018, 5:06am

Winlogbeat fields name:

"event_data": {
"ProcessName"
"LogonGuid"
"IpPort"
"SubjectLogonId"
"TargetLogonGuid"
"SubjectUserName"
"TargetInfo"
"TargetServerName"
"SubjectDomainName"
"IpAddress"
"TargetUserName"
"ProcessId"
"TargetDomainName"
"SubjectUserSid"
},

But I wish

  "ProcessName"
  "LogonGuid"
  "IpPort"
  "SubjectLogonId"
  "TargetLogonGuid"
  "SubjectUserName"
  "TargetInfo"
  "TargetServerName"
  "SubjectDomainName"
  "IpAddress"
  "TargetUserName"
  "ProcessId"
  "TargetDomainName"
  "SubjectUserSid"

So how can I remove "event_data" from every fields?
need help.
Thanks

magnusbaeck · January 24, 2018, 5:22am

Use a mutate filter to rename each field into the top level or use a ruby filter to rename them all in one batch without having to enumerate every field. Examples of the latter has been posted in the past.

abu.sayeed · January 24, 2018, 6:46am

Thanks for your instruction. I change all by ruby filter.

system · February 21, 2018, 6:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to rename the field “event_data.TargetUserName” Logstash	1	534	February 15, 2018
Rename field winlog.event_data.TargetUserName Logstash	2	869	March 6, 2020
Drop "event_data." from data field Beats winlogbeat	7	2637	April 17, 2017
Remove part of field name from json inputted fields Logstash	9	3759	July 6, 2017
Drop part of a fieldname Logstash	3	311	March 9, 2020

Rename field

Related topics