Logstash - grok重命名字段名称

时间:2016-04-06 09:02:50

标签: logstash-grok

这是一个事件消息的例子:

worksheet.set_row(5, 30)
 worksheet.set_row(6, 30)
 worksheet.set_row(7, 30)

我的Logstash配置文件如下:

{
"timestamp":"2016-03-29T22:35:44.770750-0400",
"flow_id":45385792,
"in_iface":"eth1",
"event_type":"alert",
"src_ip":"3.3.3.8",
"src_port":21,
"dest_ip":"2.2.2.2",
"dest_port":52934,
"proto":"TCP",
"alert":{
    "action":"allowed",
    "gid":1,
    "signature_id":4027,
    "rev":0,
    "signature":"FTP Successful Login",
    "category":"",
    "severity":3
    },
"payload":"MjU3ICIvaG9tZS9uZXd1c2VyIg0K",
"payload_printable":"257 newuser",
"stream":0,
"packet":"AFBWo0NoAFBWoxZWCABFAABJKDpAAEAGCGcDAwMIAgICAgAVzsbd4MhqOBOjfoAYAOMYcwAAAQEIChHN4EQHnwugMjU3ICIvaG9tZS9uZXd1c2VyIg0K"
}


input 
    beats 
        port => 5044
        codec => json
        type => "SuricataIDPS"

我希望能够重命名字段alert.signature,

我怎么能这样做?......似乎它不认识那个领域......

感谢您的帮助!

埃弗拉特

1 个答案:

答案 0 :(得分:1)

您必须在mutate节中定义filter过滤器:

filter {

        mutate {
                rename =>  [ "[alert][signature]", "[alert][signature_renamed]"  ]
        }
}
相关问题
最新问题