Versioner sammenlignet


  • Linjen blev tilføjet.
  • Denne linje blev fjernet.
  • Formatering blev ændret.


  if [type] == "syslog" {
      include_keys => ["OUT","IN","SRC","SPT","DST","DPT","PROTO","ACTION"]
      trim => "<>\[\],"
      trimkey => "<>\[\],"

    # This will drop Google DNS Requests
    #if [DST] == ""
    #  drop {}

    if [SRC] == "" {
        add_field => { "IPOwner" => "DeviceChristopher" "Device" => "MOSNASGalaxy" "Interface" => "CableWifi" }
    if [SRC] == "" {
         add_field => { "IPOwner" => "Device" "Device" => "KHVG145-TSkur Cam" "Interface" => "Cable" }



the problem her, is that the data is persistent in Elasticsearch, and Changes to IP's and Devices are not reflected. In Splunk I solved this with a lookup, but now we can do it in Kibana with scripted fields in the new "Painless" language that also states : The Painless syntax is similar to Groovy.

Scripted fields are found in the Management section:

Image Modified

So, my field in the fist successfull attempt looks like:


if (doc['SRC.keyword'].value == "") {
     return "Toke"
if (doc['SRC.keyword'].value == "") {
     return "Christopher"
if (doc['SRC.keyword'].value == "") {
     return "Toke"

And the success is eminent:

Image Added


In Logstash I had the possibility to return 3 fields in one bulk (IPOwner, Device and Interface), but I assume that with Scripted fields I need to make a scripted field pr. field.