Break out related.geo to validate the data exists first

rocknsm · Jan 17, 2019 · b99c7ae · b99c7ae
1 parent df88d06
commit b99c7ae
Showing 1 changed file with 30 additions and 11 deletions.
diff --git a/ecs-configuration/logstash/conf.d/logstash-900-filter-ecs-enrich.conf b/ecs-configuration/logstash/conf.d/logstash-900-filter-ecs-enrich.conf
@@ -22,8 +22,13 @@ filter {
       mutate {
         merge => { "[related][ip]" => "[network][client][ip]" }
         # Add the location to related
-        add_field => {
-          "[related][geo]" => "%{[network][client][geo][location][latitude]},%{[network][client][geo][location][longitude]}"
+      }
+
+      if [network][client][geo] {
+        mutate {
+          merge => {
+            "[related][geo]" => ["%{[network][client][geo][location][latitude]},%{[network][client][geo][location][longitude]}"]
+          }
         }
       }
     }
@@ -44,9 +49,14 @@ filter {
       # Update related IPs
       mutate {
         merge => { "[related][ip]" => "[network][server][ip]" }
-        # Add the location to related
-        add_field => {
-          "[related][geo]" => "%{[network][server][geo][location][latitude]},%{[network][server][geo][location][longitude]}"
+      }
+
+      if [network][server][geo] {
+        mutate {
+          # Add the location to related
+          merge => {
+            "[related][geo]" => "%{[network][server][geo][location][latitude]},%{[network][server][geo][location][longitude]}"
+          }
         }
       }
     }
@@ -67,9 +77,13 @@ filter {
       # Update related IPs
       mutate {
         merge => { "[related][ip]" => "[network][source][ip]" }
-        # Add the location to related
-        add_field => {
-          "[related][geo]" => "%{[network][source][geo][location][latitude]},%{[network][source][geo][location][longitude]}"
+      }
+      if [network][source][geo] {
+        mutate {
+          # Add the location to related
+          merge => {
+            "[related][geo]" => "%{[network][source][geo][location][latitude]},%{[network][source][geo][location][longitude]}"
+          }
         }
       }
     }
@@ -90,9 +104,14 @@ filter {
       # Update related IPs
       mutate {
         merge => { "[related][ip]" => "[network][destination][ip]" }
-        # Add the location to related
-        add_field => {
-          "[related][geo]" => "%{[network][destination][geo][location][latitude]},%{[network][destination][geo][location][longitude]}"
+      }
+
+      if [network][destination][geo] {
+        mutate {
+          # Add the location to related
+          merge => {
+            "[related][geo]" => "%{[network][destination][geo][location][latitude]},%{[network][destination][geo][location][longitude]}"
+          }
         }
       }
     }