input { beats { port => 5044 } } filter { csv { source => "message" columns => [ "col.time","frame.type","frame.subtype","rssi","frame.size","data.rate" ] } date { match => [ "col.time", "YYYY-MM-DD HH:mm:ss.SSSSSSSSS" ] target => "@timestamp" } mutate { add_field => {"[hour]" => "%{+HH}"} add_field => {"[minute]" => "%{+mm}"} add_field => {"[second]" => "%{+ss}"} } mutate { convert => [ "rssi", "integer" ] convert => [ "frame.size", "integer" ] convert => [ "data.rate", "integer" ] convert => [ "second", "integer" ] convert => [ "minute", "integer" ] convert => [ "hour", "integer" ] } if[frame.type]=="0"{ mutate { replace => [ "frame.type", "Management" ] }} if[frame.type]=="1"{ mutate { replace => [ "frame.type", "Control" ] }} if[frame.type]=="2"{ mutate { replace => [ "frame.type", "Data" ] }} if[frame.subtype]=="0"{ mutate { replace => [ "frame.subtype", "Association Request" ] } } if[frame.subtype]=="1"{ mutate { replace => [ "frame.subtype", "Association Response" ] } } if[frame.subtype]=="2"{ mutate { replace => [ "frame.subtype", "Reassociation Request" ] } } if[frame.subtype]=="3"{ mutate { replace => [ "frame.subtype", "Reassociation Response" ] } } if[frame.subtype]=="4"{ mutate { replace => [ "frame.subtype", "Probe Request" ] } } if[frame.subtype]=="5"{ mutate { replace => [ "frame.subtype", "Probe Response" ] } } if[frame.subtype]=="8"{ mutate { replace => [ "frame.subtype", "Beacon" ] } } if[frame.subtype]=="9"{ mutate { replace => [ "frame.subtype", "ATIM" ] } } if[frame.subtype]=="10"{ mutate { replace => [ "frame.subtype", "Disassociation" ] } } if[frame.subtype]=="11"{ mutate { replace => [ "frame.subtype", "Authentication" ] } } if[frame.subtype]=="12"{ mutate { replace => [ "frame.subtype", "Deauthentication" ] } } if[frame.subtype]=="13"{ mutate { replace => [ "frame.subtype", "Action Frames" ] } } if[frame.subtype]=="24"{ mutate { replace => [ "frame.subtype", "Block ACK Request" ] } } if[frame.subtype]=="25"{ mutate { replace => [ "frame.subtype", "Block ACK" ] } } if[frame.subtype]=="26"{ mutate { replace => [ "frame.subtype", "Power Save Poll" ] } } if[frame.subtype]=="27"{ mutate { replace => [ "frame.subtype", "Request to Send" ] } } if[frame.subtype]=="28"{ mutate { replace => [ "frame.subtype", "Clear to Send" ] } } if[frame.subtype]=="29"{ mutate { replace => [ "frame.subtype", "ACK" ] } } if[frame.subtype]=="30"{ mutate { replace => [ "frame.subtype", "CFP End" ] } } if[frame.subtype]=="31"{ mutate { replace => [ "frame.subtype", "CFP End ACK" ] } } if[frame.subtype]=="33"{ mutate { replace => [ "frame.subtype", "Data + CF ACK" ] } } if[frame.subtype]=="34"{ mutate { replace => [ "frame.subtype", "Data + CF Poll" ] } } if[frame.subtype]=="35"{ mutate { replace => [ "frame.subtype", "Data + CF ACK + CF Poll" ] } } if[frame.subtype]=="36"{ mutate { replace => [ "frame.subtype", "Null Data" ] } } if[frame.subtype]=="37"{ mutate { replace => [ "frame.subtype", "Null Data + CF ACK" ] } } if[frame.subtype]=="38"{ mutate { replace => [ "frame.subtype", "Null Data + CF Poll" ] } } if[frame.subtype]=="39"{ mutate { replace => [ "frame.subtype", "Null Data + CF ACK + CF Poll" ] } } if[frame.subtype]=="40"{ mutate { replace => [ "frame.subtype", "QoS Data" ] } } if[frame.subtype]=="41"{ mutate { replace => [ "frame.subtype", "QoS Data + CF ACK" ] } } if[frame.subtype]=="42"{ mutate { replace => [ "frame.subtype", "QoS Data + CF Poll" ] } } if[frame.subtype]=="43"{ mutate { replace => [ "frame.subtype", "QoS Data + CF ACK + CF Poll" ] } } if[frame.subtype]=="44"{ mutate { replace => [ "frame.subtype", "Null QoS Data" ] } } if[frame.subtype]=="46"{ mutate { replace => [ "frame.subtype", "Null QoS Data + CF Poll" ] } } if[frame.subtype]=="47"{ mutate { replace => [ "frame.subtype", "Null QoS Data + CF ACK + CF Poll" ] } } } output { elasticsearch { hosts => ["http://localhost:9200"] index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" user => elastic password => changeme } }