Rename strings field to nested field

Elastic Stack Logstash
1

Hello every body,
I want to parse the logs bellow

Apr 20 01:10:04 hostname sshproxy[150]: [SSH Session] session_id="56454646eaeazjajflen" client_ip="X.X.X.X" target_ip="X.X.X.X" user="X.X.X.X" device="X.X.X.X" service="SSH" account="XXX" type="KBD_INPUT" data="sudo -i"

The config file:

filter{
grok{
match => {"message" => "%{SYSLOGBASE2} %{GREEDYDATA:syslog_message}}
}
kv{
source => "syslog_message"
value_split => "=""
field_split => ""\s"
}}

As output i had fields : (host, user,account, ...)
How can i convert the host field to [host][name], the user to [user][name] and account to [user][name]

Best regards,

2

Use mutate+rename...

mutate {
    rename => {
        "[user]" => "[user][name]"
        "[host]" => "[host][name]"
        ...
    }
}
1 Like
3

Hello badger,
Thank-you for your prompt response, after renaming the [host] with [host][name] I get the error bellow :

image
image1744×80 32.6 KB

And for the second one [user] with the [user][name] I had the result

image

The mutate filter

image
image719×111 8.15 KB

Can you please help me to resolve those issues
Best regard

4

If you have indexed events where [host] is the hostname then you will need to switch to a new index if you want [host] to be an object with a [name] field inside it. A field on a document can be text or an object, but it cannot be one on some documents and the other on others.

5

Hello Badger,

Thanks for the reply, Is it possible to convert the [host] field from text to objet? if yes how i can do it?

Best regards,

6

In elasticsearch if a field has already been mapped as text it cannot be changed to an object without re-indexing the data into a different index.

1 Like
7

Thanks Badger i will try to re-index the data to a different index

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.