Teach me, oh Pipeline Wizards....I have DNS Header Flag fields coming in that are boolean, like `aa: false`, `ra: true`, `rd: true`, `tc: false`, etc. I would like to convert this to ECS by just having one object (`dns.header_flags`) with an array of the header flag names show in an array if their above referenced field value is `true`. So the JSON would end up being structured like this.```"dns": { "header_flags": [ "rd","rd" ],```And the false fields would be dropped. I would also like to be able to do this in one function instead of a function with a filter for each potential Header Flag Field.
Page 2 / 2
this is a good place to start: https://sandbox.cribl.io/course/expressions
Is this particular technique covered in that course?
the really great thing about Cribl using JS for its processing language is it's so easy to code by ~google~ duckduckgo
no, it's more generic. will help with the basics
Yeah, I was more looking for keywords of how to ~google~ presearch the particular technique.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.