Our firewall is sending log messages to our ELK stack. Most of these messages contain a source and destination IP address.. but occasionally these values are not present. These messages are being forward via email and the values %{src} or %{dst}) are shown if these values were not in the message received.
Is there any way to either remove or replace these with a string should these values not be present in a message received.
You could delete them using
prune {}
prune can whitelist and blacklist top-level fields based on either name or value. The default configuration is to blacklist (i.e. delete) any fields for which the name matches the regexp %{[^}]+}.
If you want to overwrite them you could use
if [nameOfDstField] == "%{dst}" { mutate { replace => { "nameOfDstField" => "someValue" } } }
etc.
Thanks for your response. Would this provide the flexibility to keep the field if the value exists, but remove if it does not?
If the field exists it must have a value. What value does it have?
What I am saying is some messages use the value, some do not. When they do not I would like to put a placeholder.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.