Add and cut field on specific characters based on index name

sbienert · August 22, 2018, 3:52pm

Hello,

I want to add a field and fill it with the value of the index name but cut it after the first underscore and before the third underscore. I have an Elasticsearch in- and output and want to reindex with wildcard in index name so that all indices containing the pattern are fetched by the input.

What I have:
{ "_index": "xxx_yyy_value_zzz" }

What I want:
{ "_index": "xxx_yyy_value_zzz", "_source": { "field": "value" } }

Can you also transmit the value or the whole input index name to the Elasticsearch Output index name when you have wildcards for input indices?

Thanks

magnusbaeck · August 25, 2018, 2:07pm

As I recall the input index name ends up in a field when using the elasticsearch input. You can use a dissect or grok filter to extract parts of that string into separate fields.

system · September 22, 2018, 2:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Change field name during index Elasticsearch	5	730	April 16, 2020
Accessing Metafield _index in Logstash Logstash	4	441	May 13, 2020
Logstash output to Elasticsearch name index based on field? Logstash	12	2710	March 23, 2021
Generate output index from input filename Logstash	2	749	July 31, 2018
Defining a custom ES index based on an existing field Logstash	4	734	May 30, 2017

Add and cut field on specific characters based on index name

Related topics