Skip to content

Instantly share code, notes, and snippets.

@Spades0

Spades0/Rename data.url to data.url_data

Created June 5, 2022 14:25
Show Gist options
  • Save Spades0/1d90a55a8050616cdceabf5ef6c91d33 to your computer and use it in GitHub Desktop.
Save Spades0/1d90a55a8050616cdceabf5ef6c91d33 to your computer and use it in GitHub Desktop.
Download ZIP
This code snippet is used in the "Dev Tools" tab of Wazuh dashboard to rename "data.url" field to "data.url_data".
Raw
Rename data.url to data.url_data
PUT _ingest/pipeline/filebeat-7.10.2-wazuh-alerts-pipeline
{
"description" : "Wazuh alerts pipeline",
"processors" : [
{
"json" : {
"field" : "message",
"add_to_root" : true
}
},
{
"geoip" : {
"ignore_failure" : true,
"field" : "data.srcip",
"target_field" : "GeoLocation",
"properties" : [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing" : true
}
},
{
"geoip" : {
"ignore_missing" : true,
"ignore_failure" : true,
"field" : "data.win.eventdata.ipAddress",
"target_field" : "GeoLocation",
"properties" : [
"city_name",
"country_name",
"region_name",
"location"
]
}
},
{
"geoip" : {
"field" : "data.aws.sourceIPAddress",
"target_field" : "GeoLocation",
"properties" : [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"geoip" : {
"ignore_failure" : true,
"field" : "data.gcp.jsonPayload.sourceIP",
"target_field" : "GeoLocation",
"properties" : [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing" : true
}
},
{
"date" : {
"field" : "timestamp",
"target_field" : "@timestamp",
"formats" : [
"ISO8601"
],
"ignore_failure" : false
}
},
{
"date_index_name" : {
"ignore_failure" : false,
"field" : "timestamp",
"date_rounding" : "d",
"index_name_prefix" : "{{fields.index_prefix}}",
"index_name_format" : "yyyy.MM.dd"
}
},
{
"rename": {
"field": "data.url",
"target_field": "data.url_data",
"if": "ctx?.decoder?.name == 'heartbeat_log_decoder'"
}
},
{
"remove" : {
"field" : "message",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"ignore_failure" : true,
"field" : "ecs",
"ignore_missing" : true
}
},
{
"remove" : {
"field" : "beat",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "input_type",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "tags",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "count",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "@version",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "log",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"ignore_missing" : true,
"ignore_failure" : true,
"field" : "offset"
}
},
{
"remove" : {
"field" : "type",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "host",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "fields",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "event",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"field" : "fileset",
"ignore_missing" : true,
"ignore_failure" : true
}
},
{
"remove" : {
"ignore_missing" : true,
"ignore_failure" : true,
"field" : "service"
}
}
],
"on_failure" : [
{
"drop" : { }
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment