Hi,
Im using winlogbeat to send information to logstash and then all the information goes to a log in filesystem and some information goes to elasticsearch.
To identify which information to store in ES, I identify certain events i dont want to store, those events are based on some values for [winlog][provider_name] [winlog][task] and [winlog][keywords].
I'd like to use translate, but as the field [winlog][keywords] is an array i dont know if theres something like an IN
for instance:
{
"winlog": {
"keywords": [
"Audit Success"
],
"provider_name": "Microsoft-Windows-Security-Auditing",
"task": "Logon",
}
I want to be able to tell that if provider_name is "Microsoft-Windows-Security-Auditing" and task is "Logon" and "Audit Success" is in Keywords, then i want to add a field to_es with "false"
I can do it with if-then-else, but would like to use translate as its more easy to customize and maintain in the future.
Any idea?
thanks