Translate two fields in one event

john.bennett · May 3, 2018, 7:13pm

HI,
I have two translate blocks I am trying to translate two different fields from two dictionary yaml files. One for user name, one for IP.
So far, the first translate block is the only one that works. If IP is first then it works , if the USERNAME block is first it works fine. Just not both translates for IP and USERNAME at the name time. Odd? Help. The ssh grok I got from elasticsearch.

? How to get both translates to work on an event ( one event ) ?

My test code; for logstash, in the filter block.

if [source] == "/var/log/secure" {
grok {
id => "ssh"
match => { "message" => "Accepted %{WORD:auth_method} for %{USER:username} from %{IP:src_ip} port %{INT:src_port} ssh2" }
add_field => [ "ip_string", "%{src_ip}" ]
}

mutate {
add_tag => [ "source_secure_ssh" ]
convert => { "ip_string" => "string" }
}

translate {
id => "scr_ip"
dictionary_path => '/home/debug/ip.yaml'
field => "ip_string"
add_tag => [ "match_ip" ]
add_field => { "iplookup" => "match %{ip_string}" }
}

translate {
id => "username"
dictionary_path => '/home/debug/username.yaml'
field => "username"
add_tag => [ "match_username" ]
add_field => { "userlookup" => "match %{username}" }
}

}

Badger · May 3, 2018, 7:51pm

Both filters have a destination field called "translation" (the default) and override set to false (the default) so the second one does not do a translation.

john.bennett · May 3, 2018, 10:53pm

Badger, thanks for the tip.

I added;
override => true
to each translate block, now each translate block does the translate a-ok.
I did not use the destination directive , as I am all ready adding a field in each block.

JB

system · May 31, 2018, 10:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.