This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Hi everyone,Is there a way to delete a field value by using a parser
extension? I want to "move" a value from one UDM field to the other,
leaving the UDM field used by the default parser empty. However, I could
not find an explicit way to set it to n...
Hi everyone,Does anyone know how the asset enrichment with the parsers
for Windows events is supposed to work? I feel like a lot of parser
extensions is required to get consistent IDs.We are ingesting Windows
events as WINEVTLOG and AD asset data as ...
Hi All,We are already ingesting logs from Dell EMC PowerStore (with a
custom parser), but there is also a requirement to ingest logs from Dell
Compellent/SC Series and Dell EqualLogic - the predecessors of
PowerStore, as far as I know.Does anyone hav...
Hi all,My client wants to ingest logs from their Huawei OceanStor
Pacific appliances, but there is no datatype for this log source as of
now. How can I request one? And is there a "generic" data type which I
can use to ingest the logs and develop a p...
Hi aravind,Are you sure your date field always contains a valid date? If
the format is unstable, you can add more formats to the match array. If
it is not always a date, you could check for example with something
likeif [date] =~ /\d+-\d+\d+T\d+:\d+\...
The problem might be that you use the same variable name for the
original string and the dictionary. I.e. try to change your code toif
[startTime] != "" and [startTime] != "--" { mutate { convert => {
"startTime" => "string" } on_error => "status_alr...
Hi manoj06,After extracting the fields from the JSON, you can use one of
date { match => ["endTimeISO", "yyyy-MM-ddTHH:mm:ss.SSSZZ"] } date {
match => ["startTimeISO", "yyyy-MM-ddTHH:mm:ss.SSSZZ"] } date { match =>
["eventTimeISO", "yyyy-MM-ddTHH:mm:...
