Reserved fieldnames?

i have trouble in a mutation filter. At 1st i put data trough a kv filter in a target field "kv". That works fine. After that i want to rename the fields e.g.

mutate { rename => { "[kv][product]" => "[product]" }}

this works with round about 20 fields, exept with [kv][scheme] and [kv][methods].
Are there reserved fieldnames? How can i get access to the values or how can i rename the fields.

What happens with [kv][scheme] and [kv][methods]?

the filter don't handle [kv][scheme] and [kv][methods]

this is a output, in the message field the original input:
"@timestamp": "2018-07-23T15:07:05.000Z",
"@version": "1",
"action": "Decrypt",
"community": "RemoteAccess",
"dst": "",
"fw_subproduct": "VPN-1",
"host": "",
"ifdir": "inbound",
"ifname": "eth7",
"inzone": "External",
"kv": {
"methods:": "ESP: 3DES + SHA1",
"scheme:": "IKE"
"loguid": "{0x5b55ef19,0x1d,0xfb92a8c0,0xc0000005}",
"message": "time="1532358425" action="Decrypt" flags="417028" ifdir="inbound" ifname="eth7" logid="0" loguid="{0x5b55ef19,0x1d,0xfb92a8c0,0xc0000005}" origin="" originsicname="CN=srv-1,O=mgmt..yybz" sequencenum="88" time="1532358425" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={3860A-DB24-B449-9955-958B7D24};mgmt=mgmt;date=1532071301;policy_name=Policy-1]" community="RemoteAccess" dst="" fw_subproduct="VPN-1" inzone="External" lastupdatetime="1532358425" layer_name="Policy Network" layer_uuid="abcf83-bb37-4bd3-9418-39fdaeee9" match_id="0" parent_rule="0" rule_action="Accept" rule_name="Implied Rule " rule_uid="0E6801-8AB0-4b1e-A317-8BE3B43" methods:="ESP: 3DES + SHA1" nat_addtnl_rulenum="0" nat_rulenum="0" outzone="Local" peer_gateway="" product="VPN-1 & FireWall-1" proto="17" s_port="18203" scheme:="IKE" service="18234" service_id="tunnel_test" session_uid="{5B55-0000-0000-0AA6-FE020000}" src="" vpn_feature_name="VPN" xlatedport="0" xlatedst="" xlatesport="0" xlatesrc="" ",
"nat": {
"rulenum": "0",
"s_port": "0",
"src": "",
"nat_addtnl_rulenum": "0",
"d_port": "0",
"dst": ""
"origin": {
"ip": "",
"policy_name": "Cluster_Policy",
"name": "srv-1"
"outzone": "Local",
"peer_gateway": "",
"port": 58308,
"product": "VPN-1 & FireWall-1",
"protocol": "17",
"rule": {
"action": "Accept",
"uid": "0E-8AB0-4b1e-A317-8BE3305B43",
"name": "Implied Rule "
"sequencenum": "88",
"service": "18234",
"servicename": "tunnel_test",
"session_uid": "{5B55-0000-0000-0AA6-FE020000}",
"src": "",
"srcport": "18203",
"tags": [
"type": "checkpointlog",
"vpn_feature_name": "VPN"

oh no... now i see it.



This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.