Configuring Custom Multi-valued Meta

Default multi-valued meta keys are action, alias.host, alias.ip, alias.ipv6, email and username, if the custom multi-valued path parameter is not set in Logstash configuration file (netwitness-<decoder-ip>-input.conf), then only default values are considered for multi-valued meta. Custom valued meta can be setup in generic (applicable for all the NetWitness Platform host where the json file is referenced) or specific to the NetWitness Platform host and can have custom multi-valued meta for multiple host in single json file. Both the custom_multi_valued_meta_generic field and custom_multi_valued_meta_specific field can be used in single file or at-least one 1 field must be set.

Note: Provide absolute path to the json file in the configuration (netwitness-<decoder-ip>-input.conf) and make sure Logstash user has access to this file. Meta name should be the same as the NetWitness Platform default name format. Do not use underscore format of the meta key.

For example, below shown is the json file which has both generic and specific field set in custom_meta.json

{
"custom_multi_valued_meta_generic": [
"meta.1,meta.2,meta.3"
],
"custom_multi_valued_meta_specific": {
"0.0.0.0": [
"meta.4,meta.5,meta.6"
],
"1.1.1.1": [
"meta.4,meta.5,meta.7"
]
}
}

In above example, the meta keys meta.1, meta.2 and meta.3 are applied to all the NetWitness Platform host in the configuration file that has custom_meta_config path is set. The meta keys meta.1, meta.2, meta.3, meta.4, meta.5, meta.6 are set as custom multi-valued meta for hosts 0.0.0.0 and the meta keys meta.1, meta.2, meta.3, meta.4, meta.5, meta.7 are set as custom multi-valued meta keys for the host 1.1.1.1 along with default mutli-valued meta.