Add a new field based on a regex capturing group

DK_3 · August 26, 2015, 1:20pm

The logstash events have path field with a value like: /var/log/my-app_1-2015-08-26.0.log

I want a filter that can take the path field and create a new field with just the my-app_1 part of the path string

My attempt was with the grok & mutate filter but I'm not sure how to used the regex captured group 2:

grok {
       match => [
            "path", "%{GREEDYDATA:path}"
       ]
       add_field => [ "log_path", "%{path}" ]
   }

   mutate{
       gsub => {
            # replace everything except the 
            "log_path", "([\/\w]+\/)([\w\d_-]+)(-\d{4}-\d{2}-\d{2}\.\d\.log)", "<Use regex captured group 2 here>"
       }
   }

magnusbaeck · August 26, 2015, 1:50pm

Your grok filter doesn't serve any purpose. It's just a very convoluted way of copying a field. But you're right in that the grok filter is the right tool for the job. You don't need mutate. Just run grok against the path field and capture the string you're interested in:

grok {
  match => [
    "path",
    "^/var/log/%{GREEDYDATA:log_path}-%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\.%{INT}\.log$"
  ]
}

Topic		Replies	Views
Extracting fields from path and adding them to new elapsed events Logstash	1	238	October 22, 2019
Add new field data using Regex Logstash	3	700	June 4, 2020
Updating an existing field using path data Logstash	6	190	April 18, 2023
Create new field from existing field using REGEX Logstash	4	1059	November 21, 2019
I want to add new field and replace the one of the existing field value to the newly added field Logstash	1	283	September 13, 2019

Add a new field based on a regex capturing group

Related topics