Translate filter is not working when the input is from filebeat module

Jeeth · August 27, 2020, 5:53pm

Hi all,

We have two different logstash pipelines for two different location data.

Paloalto --> syslog --> filebeat --> Logstash --> Elasticsearch (Parsing with filebeat panw module)
Paloalto --> syslog --> Logstash --> Elasticsearch(parsing with grok)

All the data is parsing correctly in both the cases. Now we have a new requirement where we need to compare a field source.ip with a dictionary using translate filter. This is working perfectly in case 2 but not working in case 1.
Please find the below translate filter im using in both the cases.

        translate {
        field => "destination.ip"
        destination => "event.MM_ids_ip"
        dictionary_path => '/tmp/IPv4_feedHCMCWithValue.csv'
        refresh_interval => 300
        override => "true"
        refresh_behaviour => "replace"
      }

So I believe this translate filter is failing in case of filebeat module usage. Can u help us solve this issue.

Badger · August 27, 2020, 6:04pm

Are you sure the field name has a period in it? Or is it the ECS [destination][ip]?

system · September 24, 2020, 6:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter not working Logstash	3	581	January 23, 2023
Send log files by filebeat cisco module to logstash Logstash	1	414	October 3, 2019
Logstash filter doesn't apply on the output Logstash	1	377	November 5, 2020
Help reviewing filter/input/ouput Packetbeat nor working with LS Logstash	9	1259	July 6, 2017
Log Filtration Issue with Filebeat and Logstash Configuration Logstash	19	509	September 13, 2023

Translate filter is not working when the input is from filebeat module

Related topics