Some of my logs have a field that is mapped to a port number instead of the service (such as HTTP, HTTPS) in the value. This causes a failure to identify an enum field in SecOps: Network.ApplicationProtocol.

The error is displayed on the print screen:

Index 0: Couldn't find enum value by name.

And this is the parser code block that maps the field in the original log to the UDM:

------------------

if [service] != {

mutate {

uppercase => ["service"]

}

}

mutate {

replace => {

"network.application_protocol" => "%{service}"

}

on_error => "service_value_invalid"

}

------------------Sample errorSample code

I've tried adding a value check when the service field contains a port number (as an integer), but I get the same error. How do I handle this error?

Any suggestion to verify the value of the field before the mapping operation for the UDM?