This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SIEM search filter by numeric additional.fields

Posted on 07-09-2024 03:08 PM
chroniclearner
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a log source which parses out a field into additional.fields["Num_cloned_repos"]. The value is parsed as a numeric value. The parser code is as follows

 

if [Num_cloned_repos] != "" {
    mutate {
        replace => {
            "Num_cloned_repos_label.key" => "Num_cloned_repos"
        }
        rename => {
            "Num_cloned_repos" => "Num_cloned_repos_label.value.number_value"
        }
    }
    mutate {
        merge => {
            "additional.fields" => "Num_cloned_repos_label"
        }
    }
}

 

 While searching in SIEM search, I want to add a filter to only display events where Num_cloned_repos = 2

When I try below query, I get an error

 

metadata.log_type = "<LOG_TYPE>" and additional.fields["Num_cloned_repos"] = 2

 

compilation error validating query: type mismatch between "query.udm.additional.fields[Num_cloned_repos]" of type string and "2" of type int line: 1 column: 46-79 : invalid argument


When I try below query, I get an error

 

metadata.log_type = "<LOG_TYPE>" and additional.fields.key = "Num_cloned_repos" and additional.fields.value.number_value = 2

 

compilation error generating predicates: predicate conversion for filter expressions failed: dot syntax for map requires field path to end in "key" or "string_value" subfield: invalid argument

 How do I search a numeric additional.fields in SIEM search?

0 1 168
Topic Labels
0 Likes
1 REPLY 1
Top Solution Authors
View all