Hello, any idea how can i correctly display “quick values” for F5 ASM module violations:
Syslog message:
... violations="HTTP protocol compliance failed,System found unauthorized protocol" ...
Parser:
violations="%{DATA:violations}"
Default ES mapping:
violations = keyword
When field mapping changed to “text” and fielddata:true the aggregation does not make sense:
protocol: 2
http: 1…
I expect aggregation like this:
HTTP protocol compliance failed: 1
System found unauthorized protocol: 1
Can this be somehow solved with pipeline/array?