There is a log with field "winlog.logon.failure.sub_status" and content is "User logon with misspelled or bad password"
Refer to Index connector and action | Kibana Guide [8.15] | Elastic
I created a rule that using index connector and setting of "Document to index" is:
{
"failedreason": "{{winlog.logon.failure.sub_status}}"
}
"failedreason" field exist in index that index connector link to but content is empty.
What can I do?
I think you are looking for Copy fields | Filebeat Reference [8.15] | Elastic processor
Thank you for reply.
I think the problem is not described correctly, I will describe it again
I couldn't find any good examples of this but I believe you'll need to do something like
{
"failedreason": "{{#context.hits}}{{winlog.logon.failure.sub_status}}{{/context.hits}}"
}
You should try {{_source.winlog.logon.failure.sub_status}}
see: {{winlog.logon.failure.sub_status}}
Unlucky, It doesn't work.
failedreason is empty
Unlucky, It doesn't work.
failedreason is empty.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.