hello,
I want to substitute a grok filter by a dissect
In a few words, i want replace this grok filter
grok {
match => { "[raw_syslog_result][syslog_message]" => [
"THREAT,%{WORD:threat_type},%{DATA:generate_time},%{IP:source_ip},%{IP:dest_ip},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA:threat_contentname},%{DATA:threat_category},%{GREEDYDATA}"
]}
}
by this one
dissect{
mapping => {
"THREAT" => "{%threat_type} {%generate_time} {%source_ip}{%dest_ip}{%threat_contentname}{%threat_category}"
}
}
i've doubt on the syntax: is that correct?
Regards