[SOLVED]Prune Filter Question

kolten · July 31, 2019, 11:50am

Hi,

I want to prune my logs and only take some fields.
Here is my logstash config file but this config didnt work. How can solve this issue?

input {
  beats {
    port => 5044
  }
}

filter {
    json {
        source => "message"
        remove_field => "message"
    }

    prune {
        whitelist_names => [ "layers.ip.ip_ip_src_host" ]
        #"[layers][ip][ip_ip_src_host]"
    }
}

output {
  elasticsearch {
    hosts => "localhost:9200"
    index => "webserver01-%{+YYYY-MM-dd}"
    document_type => "pcap_file"
    manage_template => false
  }
}

My Json Object:

Badger · July 31, 2019, 12:11pm

Your data does not have dots in the field names, it has fields that contain objects. So you should be refering to [layers][ip][ip_ip_src_host]

kolten · July 31, 2019, 12:22pm

I referred like commented line

[layers][ip][ip_ip_src_host]

it doesnt work

Badger · July 31, 2019, 12:34pm

From the documentation...

This filter currently only support operations on top-level fields, i.e. whitelisting and blacklisting of subfields based on name or value does not work.

kolten · July 31, 2019, 12:38pm

thanks @Badger Do you know how can i move to top level?

kolten · July 31, 2019, 12:52pm

I tried ruby code event.get and event.set but it doesnt work. Can you help me for write this code?

Badger · July 31, 2019, 1:07pm

If you really just want the one field then

    prune { whitelist_names => [ "^layers" ] }
    mutate { add_field => { "ip_src_host" => "%{[layers][ip][ip_ip_src_host]}" } }
    mutate { remove_field => [ "layers" ] }

kolten · July 31, 2019, 1:36pm

Thanks @Badger it worked.

system · August 28, 2019, 1:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.