Test for field name containing special characters

I want to test a field name to see if it contains a "%" character and drop it if it does. I do a KV on web logs, and we regularly see threat actors trying to escape application logic with long strings in the URI, e.g.

I see lots of ruby options for string manipulation on the contents of fields, but not on names of fields.

You can do this in ruby...

ruby {
    code => '
         event.to_hash.each { |k, v|
               # Write some code here to modify k to newk. e.g newk = k.gsub(/%/, "")
               event.set(newk, v)

Did you want to drop the %, or drop the entire field whose name contains %?

If the field name has a % in it, drop the field.

OK, change the body of the .each to

        if k.include? "%"

I am trying that out now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.