uploading zeek log files with rolled-over filenames including the date don't get the log type detected correctly #490

mmguero · 2024-11-07T13:47:33Z

A user reported that uploading zeek logs as described here:

the log type gets set as the name of the log.timestamp (eg: analyzer.03:00:00_03:49:27). Then there are some costume fields in the meta data that also have the same naming (eg: analyzer.03:00:00_03:49:27._path, analyzer.03:00:00_03:49:27.analyzer_kind), when going to a dashboard for a protocol a lot of the visualizations don't load any data because they don't know how to read some of the fields i guess. Just for some context the logs i'm playing with come from a hedgehog sensor capturing live data.

We need to verify that this is the case and figure out why this code isn't working to extract the field name correctly.

mmguero added bug Something isn't working logstash Relating to Malcolm's use of Logstash regression It worked at one point... upload Relating to PCAP and/or Zeek log ingestion labels Nov 7, 2024

mmguero added this to the v24.11.0 milestone Nov 7, 2024

mmguero added this to Malcolm Nov 7, 2024

mmguero moved this to Triage in Malcolm Nov 8, 2024

mmguero modified the milestones: v24.11.0, v24.12.0 Nov 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

uploading zeek log files with rolled-over filenames including the date don't get the log type detected correctly #490

uploading zeek log files with rolled-over filenames including the date don't get the log type detected correctly #490

mmguero commented Nov 7, 2024

uploading zeek log files with rolled-over filenames including the date don't get the log type detected correctly #490

uploading zeek log files with rolled-over filenames including the date don't get the log type detected correctly #490

Comments

mmguero commented Nov 7, 2024