Add a field starting from a substring of the file name

JuanLuis_Santiago_de · March 5, 2021, 9:03am

Hello.
I have several logs with the following names, where [E-1].[P-28], [E-1].[P-45] and [E-1].[P-51] are operators that generate these logs (I only can identify them by obtaining from the file name)

p2sajava131.srv.gva.es_11101.log.online.[E-1].[P-28].21.01.21.log
p1sajava130.srv.gva.es_11101.log.online.[E-1].[P-45].21.03.04.log
p1sajava130.srv.gva.es_11101.log.online.[E-1].[P-51].21.03.04.log
...

How can i create a new field with, mutate o translate in logstash, with the next conditions:
if contains [E-1].[P-28] => Operator-1
if contains [E-1].[P-45] => Operator-2
if contains [E-1].[P-51] => Operator-3

Thanx

Badger · March 5, 2021, 5:11pm

    translate {
        field => "[message]"
        destination => "[someField]"
        dictionary => {
          "\[E-1\]\.\[P-28\]" => "Operator-1"
          "\[E-1\]\.\[P-45\]" => "Operator-2"
          "\[E-1\]\.\[P-51\]" => "Operator-3"
        }
        exact => true
        regex => true
    }

will produce events like

 "someField" => "Operator-3",
   "message" => "p1sajava130.srv.gva.es_11101.log.online.[E-1].[P-51].21.03.04.log",

Note that you do not appear to be using a regex, but it needs to be true to do a substring match.

JuanLuis_Santiago_de · March 15, 2021, 2:10pm

Lot of Thanx Badger.

system · April 12, 2021, 2:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.