Understanding convert in parsing

Question

Hello Team, we encountered an error while trying to convert a field to a string. We tried converting to string, but again we encountered same error.

Error - "generic::invalid_argument: pipeline failed: filter mutate (30) failed: replace failure: field \\"startTime.value\\": source field \\"startTime\\": source field value must be a string"

Please find the below code

if [startTime] != "" and [startTime] != "--" {

mutate {
convert => {
"startTime" => "string"
}
on_error => "status_already_string"
}

mutate {
replace => {
"startTime.key" => "Start Time"
"startTime.value" => "%{startTime}"

}
merge => {
"security_result.detection_fields" => "startTime"
}
}
}

lukas-lr · Accepted Answer

The problem might be that you use the same variable name for the original string and the dictionary. I.e. try to change your code toif [startTime] != "" and [startTime] != "--" {mutate {convert => {"startTime" => "string"}on_error => "status_already_string"}mutate {replace => {"startTimeLabel.key" => "Start Time""startTimeLabel.value" => "%{startTime}"}merge => {"security_result.detection_fields" => "startTimeLabel"}}}

Anonymous · Answer

Thank you

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded