Hi,
i get confuse how to set a new value for msg value from message field. i want set if message value == { "msg" : "ICMP flood" }, msg value will show only ICMP flood
i have try this but getting error
Hi 0ksigi,
Welcome to the community! For future, can you share the script snippet as code. It makes it easier to validate and try out than sharing via screenshot.
Looking at your script I immediately see 3 issues:
- For your if condition you seem to be containing the query in braces, aka
{, instead of brackets(. You should have something like this as per the syntax guide:
if (condition) {
// actionable code
}
-
I immediately see is you have an open string in your first emit statement. You should have
emit('ICMP flood'). -
The
emitfunction cannot not accept null values. I would suggest emitting either an empty string, aka'', or another alternative value.
Taking all into consideration, I think you need to try something like this:
if (doc['message'].value == {'msg': 'ICMP flood'}) {
emit('ICMP flood')
} else {
emit('')
}
Can you try the above and see what you get?
hi Carly, thank you for replying my question.
i have try your suggestion you have suggest to me, but it still get error.
before i continue my if else condition, i am trying to extract message field using
emit (doc["message"].value) but getting match_only_text fields do not support sorting and aggregations error.
So this new error is due to a sort or aggregation being applied to a text field. If you use the keyword field message.keyword instead of just message you should eliminate that error.
i am sorry, i am still confuse how to use
message keyword. i have try on my running field but get another error like
No field found for [message.keyword] in mapping
Interesting, looks like message.keyword isn't available on your index mapping. From the index pattern name it looks like you're using Filebeat. Can you share the index mapping and filebeat config?
I did find another related thread, albeit old, that suggests reindexing which could be worth a try.
and this is my filebeat config
============================== Filebeat inputs ===============================
filebeat.inputs:
Each - is an input. Most options can be set at the input level, so
you can use different inputs for various configurations.
Below are the input specific configurations.
filestream is an input for collecting log messages from files.
-
type: log
Unique ID among all inputs, an ID is required.
id: my-filestream-id
Change to true to enable this input configuration.
enabled: true
Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/snort/alert_json.txt*
#- c:\programdata\elasticsearch\logs*
- /var/log/snort/alert_json.txt*
================================== Outputs ===================================
Configure what output to use when sending the data collected by the beat.
---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
Array of hosts to connect to.
hosts: ["localhost:9200"]
this is my index mapping
{
"mappings": {
"_doc": {
"_meta": {
"beat": "filebeat",
"version": "7.17.8"
},
"dynamic_templates": [
{
"labels": {
"path_match": "labels.*",
"match_mapping_type": "string",
"mapping": {
"type": "keyword"
}
}
},
{
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.