LinkedIn
Twitter
1 ACCEPTED SOLUTION
This is a valid version, I could not find a resourcepath under metadata so I put in metadata.description
filter {
json {
source => "message"
array_function => "split_columns"
}
statedump {
"label" => "1"}
mutate {replace => {"temp"=>""}} #Init the concat token
for index1,item1 in folders {
mutate {convert => {"index1"=>"string"}}
mutate {replace => {"label1"=>""}} #Init the collector token
mutate {replace => {"obj.val"=>"%{item1.resourceFolderDisplayName}"}}
mutate {replace => {"label1"=>"%{obj.val}"}}
mutate {merge => {"labels"=>"label1"}} #Init the collector token
# Concat
if [index1]=='0' {mutate {replace => {"temp"=>"%{label1}"}}}
else {mutate {replace => {"temp"=>"%{temp}|%{label1}"}}}
statedump {
"label" => "2"}
}
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_name" => "Upstream"
"event.idm.read_only_udm.metadata.vendor_name" => "Upstream"
"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
"event.idm.read_only_udm.metadata.description" => "%{temp}" #Concat in Temp
}
}
mutate {
merge => {
"@output" => "event"
}
}
statedump {
"label" => "3"}
}
This is a valid version, I could not find a resourcepath under metadata so I put in metadata.description
filter {
json {
source => "message"
array_function => "split_columns"
}
statedump {
"label" => "1"}
mutate {replace => {"temp"=>""}} #Init the concat token
for index1,item1 in folders {
mutate {convert => {"index1"=>"string"}}
mutate {replace => {"label1"=>""}} #Init the collector token
mutate {replace => {"obj.val"=>"%{item1.resourceFolderDisplayName}"}}
mutate {replace => {"label1"=>"%{obj.val}"}}
mutate {merge => {"labels"=>"label1"}} #Init the collector token
# Concat
if [index1]=='0' {mutate {replace => {"temp"=>"%{label1}"}}}
else {mutate {replace => {"temp"=>"%{temp}|%{label1}"}}}
statedump {
"label" => "2"}
}
mutate {
replace => {
"event.idm.read_only_udm.metadata.product_name" => "Upstream"
"event.idm.read_only_udm.metadata.vendor_name" => "Upstream"
"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
"event.idm.read_only_udm.metadata.description" => "%{temp}" #Concat in Temp
}
}
mutate {
merge => {
"@output" => "event"
}
}
statedump {
"label" => "3"}
}
