mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 17:18:20 +00:00
b28801ce95
- When a log record is being "unrolled" (sub-records flattened
out into a single record), it's now possible to choose the
character/string to separate the outer name from the inner
name. This can be used to work around the problems
with ElasticSearch 2.0 not supporting dots "." in field names.
This value can be provided per-filter as well as a global
default value.
- Log fields can be renamed by providing a table per-filter
(or a global default) to rename fields for any log writer.
The name translation is performed after unrolling so the
value in the field name table must match whatever is being
used to separate field names.
For example if the unrolling separator was set to "*":
redef Log::default_unrolling_sep = "*";
The field name map would need to reflect it:
redef Log::default_field_name_map = {
["id*orig_h"] = "src",
["id*orig_p"] = "src_port",
["id*resp_h"] = "dst",
["id*resp_p"] = "dst_port",
};
|
||
|---|---|---|
| .. | ||
| analyzer | ||
| broker | ||
| cluster | ||
| communication | ||
| control | ||
| dpd | ||
| files | ||
| input | ||
| intel | ||
| logging | ||
| netcontrol | ||
| notice | ||
| openflow | ||
| packet-filter | ||
| reporter | ||
| signatures | ||
| software | ||
| sumstats | ||
| tunnels | ||