Add a new field based on a regex capturing group

DK_3 · August 26, 2015, 1:20pm

The logstash events have path field with a value like: /var/log/my-app_1-2015-08-26.0.log

I want a filter that can take the path field and create a new field with just the my-app_1 part of the path string

My attempt was with the grok & mutate filter but I'm not sure how to used the regex captured group 2:

grok {
       match => [
            "path", "%{GREEDYDATA:path}"
       ]
       add_field => [ "log_path", "%{path}" ]
   }

   mutate{
       gsub => {
            # replace everything except the 
            "log_path", "([\/\w]+\/)([\w\d_-]+)(-\d{4}-\d{2}-\d{2}\.\d\.log)", "<Use regex captured group 2 here>"
       }
   }

magnusbaeck · August 26, 2015, 1:50pm

Your grok filter doesn't serve any purpose. It's just a very convoluted way of copying a field. But you're right in that the grok filter is the right tool for the job. You don't need mutate. Just run grok against the path field and capture the string you're interested in:

grok {
  match => [
    "path",
    "^/var/log/%{GREEDYDATA:log_path}-%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\.%{INT}\.log$"
  ]
}