gpt4 book ai didi

logstash-grok - Logstash - grok 重命名字段名称

转载 作者:行者123 更新时间:2023-12-02 21:05:09 32 4
gpt4 key购买 nike

以下是事件消息的示例:

{
"timestamp":"2016-03-29T22:35:44.770750-0400",
"flow_id":45385792,
"in_iface":"eth1",
"event_type":"alert",
"src_ip":"3.3.3.8",
"src_port":21,
"dest_ip":"2.2.2.2",
"dest_port":52934,
"proto":"TCP",
"alert":{
"action":"allowed",
"gid":1,
"signature_id":4027,
"rev":0,
"signature":"FTP Successful Login",
"category":"",
"severity":3
},
"payload":"MjU3ICIvaG9tZS9uZXd1c2VyIg0K",
"payload_printable":"257 newuser",
"stream":0,
"packet":"AFBWo0NoAFBWoxZWCABFAABJKDpAAEAGCGcDAwMIAgICAgAVzsbd4MhqOBOjfoAYAOMYcwAAAQEIChHN4EQHnwugMjU3ICIvaG9tZS9uZXd1c2VyIg0K"
}


input
beats
port => 5044
codec => json
type => "SuricataIDPS"

我的 Logstash 配置文件如下:

output 
elasticsearch
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
#document_type => "%{[@metadata][type]}"

我希望能够将字段重命名为alert.signature,

我该怎么做?...似乎它无法识别该字段...

感谢您的帮助!

埃夫拉特

最佳答案

您必须在 filter 节中定义 mutate 过滤器:

filter {

mutate {
rename => [ "[alert][signature]", "[alert][signature_renamed]" ]
}
}

关于logstash-grok - Logstash - grok 重命名字段名称,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36446314/

32 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com