Hey guys, i'm new in ELK and i'm trying to figure how to split my field into an array .
json input looks like this :
{
{
"ID":"1",
"FilesByProcess":"C:\Windows\system32\taskhost.exe:100;C:\Windows\system32\cmd.exe:10",
"another_field":"xxx"
}
{
"ID":"2",
"FilesByProcess":"C:\Windows\system32\taskhost.exe:150;C:\Windows\system32\cmd.exe:600",
"another_field":"xxx"
}
{
"ID":"1",
"FilesByProcess":"C:\Windows\system32\cmd.exe:10;C:\Windows\system32\svchost.exe:20",
"another_field":"xxx"
}
}
- FilesByProcess can have multiple values splited by -";"
- i want to filter by ID and files by process , for example for id -1 i want to see the how many files modified by taskhost.exe(110)
I've looked for some answers and i try Split Process but i dont see any results on the kibana
"split": {
"field": "FilesByProcess",
"separator": ";"
}
also i tried mutate filter plugin filter {
mutate {
split => { "FilesByProcess" => ";" }
}
}