Accessing first element after executing split

lucas.alvarez · October 12, 2018, 5:34pm

Hello everybody!. I cannot find a solution for the following thing. I'm splitting a hostname that is composed by a "name", a "." and a "domain". I would like to get only the name.

I.e: lucas.google => lucas

I've read about the split function, which works good, but I cannot find a way to access the first element of the array after performing the split.

This is what I'm using:

mutate {
split => { "hostname_aux" => "." }
}

This gives me: lucas, google
I would like to get only lucas in that field.

Thank you!.

AquaX · October 13, 2018, 3:14am

You could use a grok pattern.
grok{
match => {“hostname_aux” => “%{NOTSPACE:domain}.%{NOTSPACE:name}”}
}

lucas.alvarez · October 16, 2018, 2:58pm

It does not work. I ended up doing the following:

grok {
match => [
"[host][name]", "(?< auxhostname>[a-zA-Z0-9_-]+)(.%{GREEDYDATA})?"
]
}

Take into consideration that the whitespace between "<" and "auxhostname" is there because otherwise the word is not visible in this forum.

willemdh · October 16, 2018, 4:52pm

Lucas,

Might be too late, seeing you already have a solution, but could just use the mutate with split like this:

    mutate {
      split => { "hostname_aux" => "." }
      add_field => [ "hostname_split" , "%{[hostname_aux][0]}" ]
    }

The first element of the array is %{[hostname_aux][0]}"

Grtz

Willem

system · November 13, 2018, 4:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.