Add a new field based on a regex capturing group

DK_3 · August 26, 2015, 1:20pm

The logstash events have path field with a value like: /var/log/my-app_1-2015-08-26.0.log

I want a filter that can take the path field and create a new field with just the my-app_1 part of the path string

My attempt was with the grok & mutate filter but I'm not sure how to used the regex captured group 2:

grok {
       match => [
            "path", "%{GREEDYDATA:path}"
       ]
       add_field => [ "log_path", "%{path}" ]
   }

   mutate{
       gsub => {
            # replace everything except the 
            "log_path", "([\/\w]+\/)([\w\d_-]+)(-\d{4}-\d{2}-\d{2}\.\d\.log)", "<Use regex captured group 2 here>"
       }
   }

magnusbaeck · August 26, 2015, 1:50pm

Your grok filter doesn't serve any purpose. It's just a very convoluted way of copying a field. But you're right in that the grok filter is the right tool for the job. You don't need mutate. Just run grok against the path field and capture the string you're interested in:

grok {
  match => [
    "path",
    "^/var/log/%{GREEDYDATA:log_path}-%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\.%{INT}\.log$"
  ]
}

Topic		Replies	Views
Extract a string from logstash path Kibana	6	4827	January 18, 2018
Basic logstash mutations Logstash	4	577	September 26, 2019
Add new field using part of existing value Logstash	10	1836	June 25, 2020
Create a new field using Regular Expressions Logstash	3	5579	August 7, 2018
Take out bits of a URIPATH in Logstash Logstash	21	4979	July 6, 2017

Add a new field based on a regex capturing group

Related topics