Runtime conditional

LorensiusOksigii · January 30, 2023, 9:38am

Hi,

i get confuse how to set a new value for msg value from message field. i want set if message value == { "msg" : "ICMP flood" }, msg value will show only ICMP flood

i have try this but getting error

carly.richmond · January 30, 2023, 10:23am

Hi 0ksigi,

Welcome to the community! For future, can you share the script snippet as code. It makes it easier to validate and try out than sharing via screenshot.

Looking at your script I immediately see 3 issues:

For your if condition you seem to be containing the query in braces, aka {, instead of brackets (. You should have something like this as per the syntax guide:

if (condition) { 
  // actionable code
}

I immediately see is you have an open string in your first emit statement. You should have emit('ICMP flood').
The emit function cannot not accept null values. I would suggest emitting either an empty string, aka '', or another alternative value.

Taking all into consideration, I think you need to try something like this:

if (doc['message'].value == {'msg': 'ICMP flood'}) {
  emit('ICMP flood')
} else {
emit('')
}

Can you try the above and see what you get?

LorensiusOksigii · January 30, 2023, 5:08pm

hi Carly, thank you for replying my question.

i have try your suggestion you have suggest to me, but it still get error.

before i continue my if else condition, i am trying to extract message field using
emit (doc["message"].value) but getting match_only_text fields do not support sorting and aggregations error.

carly.richmond · January 30, 2023, 5:31pm

So this new error is due to a sort or aggregation being applied to a text field. If you use the keyword field message.keyword instead of just message you should eliminate that error.

LorensiusOksigii · January 31, 2023, 6:03am

i am sorry, i am still confuse how to use

message keyword. i have try on my running field but get another error like No field found for [message.keyword] in mapping

carly.richmond · January 31, 2023, 10:42am

Interesting, looks like message.keyword isn't available on your index mapping. From the index pattern name it looks like you're using Filebeat. Can you share the index mapping and filebeat config?

I did find another related thread, albeit old, that suggests reindexing which could be worth a try.

LorensiusOksigii · January 31, 2023, 6:38pm

and this is my filebeat config

============================== Filebeat inputs ===============================

filebeat.inputs:

Each - is an input. Most options can be set at the input level, so

you can use different inputs for various configurations.

Below are the input specific configurations.

filestream is an input for collecting log messages from files.

type: log

Unique ID among all inputs, an ID is required.

id: my-filestream-id

Change to true to enable this input configuration.

enabled: true

Paths that should be crawled and fetched. Glob based paths.

paths:
- /var/log/snort/alert_json.txt*
  #- c:\programdata\elasticsearch\logs*

================================== Outputs ===================================

Configure what output to use when sending the data collected by the beat.

---------------------------- Elasticsearch Output ----------------------------

output.elasticsearch:

Array of hosts to connect to.

hosts: ["localhost:9200"]

LorensiusOksigii · January 31, 2023, 6:39pm

this is my index mapping

{
  "mappings": {
    "_doc": {
      "_meta": {
        "beat": "filebeat",
        "version": "7.17.8"
      },
      "dynamic_templates": [
        {
          "labels": {
            "path_match": "labels.*",
            "match_mapping_type": "string",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {

system · February 28, 2023, 6:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.