Hi,
I have application logs injected to elasticsearch and the logs are in json format. I want to filter Username under the elasticsearch fields list. which means, I want to get the "Username" field in the filed list when a queried result displays.
Left fields column (All Events) also should have the Username filed listed.
Sample user id --> ,"USER":"applogAdmin",
Those logs having the following characteristics and I hope it will help to filter "USER" correctly.
Program ---> AppNinja
tags ---> SEC
type ---> import_json
Can you please help me to filter the USER and add it to the filed list?
Thank you
Luke
Add extra fields
Re: Add extra fields
Are these Windows' application logs or logs from an application running on the server? The JSON codec should be able to pull and create fields automatically based on the JSON. Test with the following input:
Code: Select all
tcp {
type => 'SEC'
port => 3516
codec => json{
charset => 'CP1252'
}
}
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Add extra fields
Hi
I already managed to input those logs to NLS. But I don't see fields are displaying in under the fields list(left side column). Can we write a filter to display a particular field as I want to use it for further filtering?
Hope you can help me with this.
Thank you
Luke.
I already managed to input those logs to NLS. But I don't see fields are displaying in under the fields list(left side column). Can we write a filter to display a particular field as I want to use it for further filtering?
Hope you can help me with this.
Thank you
Luke.
Re: Add extra fields
As long as the timeframe is correct then all available fields should be displayed. Are you sure the events are getting parsed and put in this field? You can try querying for event with this field:
You do not have the required permissions to view the files attached to this post.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Add extra fields
Hi
I am uploading archived logs to nls, every 1 hour.
@timestamp - 2019-04-09T23:01:20.569Z Message time stamp (content body) - 2019-04-10 06:04:01 171 nothing has been displayed for fieldname:* Input filter;
tcp {
type => 'APPLOG'
tags => 'COOL'
port => 2057
codec => json{charset => 'CP1252'}
}
Thank you
Luke.
I am uploading archived logs to nls, every 1 hour.
@timestamp - 2019-04-09T23:01:20.569Z Message time stamp (content body) - 2019-04-10 06:04:01 171 nothing has been displayed for fieldname:* Input filter;
tcp {
type => 'APPLOG'
tags => 'COOL'
port => 2057
codec => json{charset => 'CP1252'}
}
Thank you
Luke.
You do not have the required permissions to view the files attached to this post.
Re: Add extra fields
I should have clarified - "fieldname" should be the field that you're trying to have show up in the list.
The screenshots only show the messages field - we'll want to see the full event details(showing all fields).
The screenshots only show the messages field - we'll want to see the full event details(showing all fields).
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.