Parse tag to create new field (wirthout removing the actual tag)

1

Hello

while using inputs.win_eventlog on collecting some events, i would like to create a field depending of the id of th event, the pb is:

  • the eventID is a tag, using processors.converter, i can only create a new tag value ex:
[[processors.enum]]
  [[processors.enum.mapping]]
    tag = "EventID"
    dest = "EventTXT"
    [processors.enum.mapping.value_mappings
      25 = "Session_connected"
      26 = "Session_disconnected"
      27 = "Session_broken"

that give something like that

win_eventlog,LevelText=Information,EventID=26,EventTXT=Session_disconnected,host=MyMachine Channel="application alpha",Level=4i 1679916645000000000

but i would like to have a new field instead of a new tag

win_eventlog,LevelText=Information,EventID=26,host=MyMachine Channel="application alpha",EventTXT="Session_disconnected",Level=4i 1679916645000000000

is this possible?

2

with Processor converter you CAN convert a tag to a field

[[processors.converter]]
  [processors.converter.tags]
    string = ["EventTXT"]

note that order may matters when using multiple processors, you can write your config in the appropriate order, or put order = X in the config section itself

3

Hello Giovanni
Thanks but i want to copy or clone the tag in a field.

Allowing me to filtre it via tag and show the value in a table or do calculation on it with other tools later.

Convert option « move it » from tag to field, something usefull on other scenario

Regards

4

it’s a bad idea to have tag and field with the same name, which one will be used if you reference it?

you can use processors.enum twice to generate 2 tags with different names or clone it using processors.strings (not 100% sure about this one).

Then convert one form tag to field with processors.converter

5

humm technically, for my need the field can be named differently, so i will look with the option to clone the tag value to a new one with differnt name and then convert it.

thanks a lot.

6

So i respond to myself with the solution that is in place now:

first we clone the tag to a new name
Second we convert it tag → field
third we rename it again to correspond to the final field
fourth i convert the integer value to a human readable value

## create a new tag, this is temporary  as the next block convert the tag in field
[[processors.regex.tags]]
    key = "EventID"
    result_key = "Event_ID"

[[processors.converter]]
  [processors.converter.tags]
    integer = ["Event_ID"]

## create a new field with a simple short name/description depending of the ID
[[processors.enum]]
  [[processors.enum.mapping]]
    ## Name of the field to map. Globs accepted.
    field = "Event_ID"
    dest = "EventTXT"

    ## Default value to be used for all values not contained in the mapping
    ## table.  When unset and no match is found, the original field will remain
    ## unmodified and the destination tag or field will not be created.
    # default = 0

    ## Table of mappings
    [processors.enum.mapping.value_mappings]
      25 = "ICA Session Connected"
      26 = "ICA Session Disconnected"
      27 = "ICA Connection Broken"
      1015 = "LSASS crash"

Objective is to guard the tag allowing filter by tag, and when data is presented field is readable by a human.

Have a nice day!

p.s. if there is a better way to proceed i have no pb to change that :slight_smile: