v-rusraut
commented
5 hours ago Hi @Miguel-Francisco , thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
Open Miguel-Francisco opened 1 day ago
v-rusraut
commented
5 hours ago Hi @Miguel-Francisco , thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
v-rusraut
commented
2 hours ago Hi @Miguel-Francisco , we received a response from the respective team confirming that sprintf formatting is indeed not supported. Plugin configurations should be predefined and cannot be changed by event values. You can either set up different pipelines to consume different types of data or implement conditions within the pipeline.
Please refer to the link below for more information. https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals
Currently, the Microsoft Sentinel output plugin for Logstash does not support sprintf formatting of field names which is a limitation for conditional outputs for different Data Collection Rules, Streams, and tables.
In my case, I want to send the logs to different custom streams in the same Data Collection Rule, based on the value of a specific field - aeg_subscription_name.
As you can see in the Logstash output, the field is not interpreted which causes a malformed URI.
Support for sprintf format is necessary not only for the dcr_stream_name but also for the other fields for output conditionals when concatenating strings with field values.