如何使用 Logstash 转换数组中的所有值？

发布于 2025-01-20 04:59:13 字数 1151 浏览 2 评论 0原文

我通过 Logstash 在 ELasticsearch 中索引日志，其中包含一个带有代码数组的字段，例如：

indicator.codes : [ "3", "120", "148" ]

Logstash 中是否有某种方法可以在 csv 中查找这些代码并将类别和描述保存在 2 个新字段中，例如 Indicator.categories 和 indicator.descriptions。

具有 3 列的 csv 子集：

Column 1 => indicator.code
Column 2 => indicator.category
Column 3 => indicator.description

3;Hiding;There are signs in the header
4;Hiding;This binary might try to schedule a task
34;General;This is a 7zip selfextracting file
120;General;This is a selfextracting RAR file
121;General;This binary tries to run as a service
148;Stealthiness;This binary uses tunnel traffic

我一直在查看 csv 过滤器和翻译过滤器，但它们似乎无法查找多个键。

翻译过滤器< /a> 似乎只适用于 2 列。 csv 过滤器< /a> 似乎无法循环 indicator.codes 数组。

原文

I'm indexing logs in ELasticsearch through Logstash which contain a field with an array of codes, for example:

indicator.codes : [ "3", "120", "148" ]

Is there some way in Logstash to lookup these codes in a csv and save the categories and descriptions in 2 new fields such as indicator.categories and indicator.descriptions.

A subset of the csv with 3 columns:

Column 1 => indicator.code
Column 2 => indicator.category
Column 3 => indicator.description

3;Hiding;There are signs in the header
4;Hiding;This binary might try to schedule a task
34;General;This is a 7zip selfextracting file
120;General;This is a selfextracting RAR file
121;General;This binary tries to run as a service
148;Stealthiness;This binary uses tunnel traffic

I've been looking at the csv filter and the translate filter, but they do not seem to be able to lookup multiple keys.

The translate filter seems to work only with 2 columns. The csv filter seems unable to loop through the indicator.codes array.

分享到QQ

分享到微博