Support for sprintf format in Microsoft Sentinel output plugin for Logstash #11303
Comments
|
Hi @Miguel-Francisco , thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
|
Hi @Miguel-Francisco , we received a response from the respective team confirming that sprintf formatting is indeed not supported. Plugin configurations should be predefined and cannot be changed by event values. You can either set up different pipelines to consume different types of data or implement conditions within the pipeline. Please refer to the link below for more information. |
|
Hello again, thank you for the quick reply. I know different workarounds but all of them lack efficiency when compared to the usage of sprinf format. Are there any plans to include support to it in future releases? |
|
Hi @Miguel-Francisco , we received a response from the respective team indicating that they have created a backlog item for this issue. There is no ETA associated with it. We are currently closing this issue. If you still need support for this matter, feel free to re-open it at any time. Thank you for your cooperation. |
Currently, the Microsoft Sentinel output plugin for Logstash does not support sprintf formatting of field names which is a limitation for conditional outputs for different Data Collection Rules, Streams, and tables.
In my case, I want to send the logs to different custom streams in the same Data Collection Rule, based on the value of a specific field - aeg_subscription_name.
As you can see in the Logstash output, the field is not interpreted which causes a malformed URI.
Support for sprintf format is necessary not only for the dcr_stream_name but also for the other fields for output conditionals when concatenating strings with field values.
The text was updated successfully, but these errors were encountered: