kolten
July 31, 2019, 11:50am
1
Hi,
I want to prune my logs and only take some fields.
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
remove_field => "message"
}
prune {
whitelist_names => [ "layers.ip.ip_ip_src_host" ]
#"[layers][ip][ip_ip_src_host]"
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "webserver01-%{+YYYY-MM-dd}"
document_type => "pcap_file"
manage_template => false
}
}
My Json Object:
Prune Example
Badger
July 31, 2019, 12:11pm
2
Your data does not have dots in the field names, it has fields that contain objects. So you should be refering to [layers][ip][ip_ip_src_host]
kolten
July 31, 2019, 12:22pm
3
I referred like commented line
[layers][ip][ip_ip_src_host]
it doesnt work
Badger
July 31, 2019, 12:34pm
4
From the documentation...
This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.
kolten
July 31, 2019, 12:38pm
5
thanks @Badger Do you know how can i move to top level?
kolten
July 31, 2019, 12:52pm
6
I tried ruby code event.get and event.set but it doesnt work. Can you help me for write this code?
Badger
July 31, 2019, 1:07pm
7
If you really just want the one field then
prune { whitelist_names => [ "^layers" ] }
mutate { add_field => { "ip_src_host" => "%{[layers][ip][ip_ip_src_host]}" } }
mutate { remove_field => [ "layers" ] }
kolten
July 31, 2019, 1:36pm
8
Thanks @Badger it worked.
system
August 28, 2019, 1:38pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.