Rename field

Elastic Stack Logstash
1

Winlogbeat fields name:

"event_data": {
"ProcessName"
"LogonGuid"
"IpPort"
"SubjectLogonId"
"TargetLogonGuid"
"SubjectUserName"
"TargetInfo"
"TargetServerName"
"SubjectDomainName"
"IpAddress"
"TargetUserName"
"ProcessId"
"TargetDomainName"
"SubjectUserSid"
},

But I wish

  "ProcessName"
  "LogonGuid"
  "IpPort"
  "SubjectLogonId"
  "TargetLogonGuid"
  "SubjectUserName"
  "TargetInfo"
  "TargetServerName"
  "SubjectDomainName"
  "IpAddress"
  "TargetUserName"
  "ProcessId"
  "TargetDomainName"
  "SubjectUserSid"

So how can I remove "event_data" from every fields?
need help.
Thanks

2

Use a mutate filter to rename each field into the top level or use a ruby filter to rename them all in one batch without having to enumerate every field. Examples of the latter has been posted in the past.

3

Thanks for your instruction. I change all by ruby filter.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.