Add and cut field on specific characters based on index name

sbienert · August 22, 2018, 3:52pm

Hello,

I want to add a field and fill it with the value of the index name but cut it after the first underscore and before the third underscore. I have an Elasticsearch in- and output and want to reindex with wildcard in index name so that all indices containing the pattern are fetched by the input.

What I have:
{ "_index": "xxx_yyy_value_zzz" }

What I want:
{ "_index": "xxx_yyy_value_zzz", "_source": { "field": "value" } }

Can you also transmit the value or the whole input index name to the Elasticsearch Output index name when you have wildcards for input indices?

Thanks

magnusbaeck · August 25, 2018, 2:07pm

As I recall the input index name ends up in a field when using the elasticsearch input. You can use a dissect or grok filter to extract parts of that string into separate fields.

system · September 22, 2018, 2:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.