Add_field in filebeat individuell for each pattern

mayer · January 27, 2025, 5:49pm

Dear All,
my environment is ES and filebeat version 8.17.1 to analyse log files.
In "pipeline.yml" I have a setup like this

- grok:
    field: message
    patterns:
      - 'grok pattern 1'
      - 'some grok pattern 2'
      - 'and many more '

For statistical reasons I would like to add a field individuell to each pattern so that I can later on count which patterns are used how often. And also to bring often used patterns in front.
Is there a way to do so ? If yes, how ?

Kind regards
Hans

mayer · January 29, 2025, 8:55pm

Just want to answer my own question, found now a solution.
Very simple. I take the first space and instead of using the blank character I used %{SPACE:pattern01} and so on for the next pattern 02 ... .

- grok:
    field: message
    patterns:
      - 'grok%{SPACE:pattern01}pattern 1'
      - 'some%{SPACE:pattern02}grok pattern 2'
      - 'and%{SPACE:pattern03}many more '

Kind regards
Hans

.

Topic		Replies	Views
Can we add fields value based on regex patterns in include_lines for the same log Beats filebeat	2	1156	December 12, 2018
Filebeat add field based on line content Beats filebeat	1	351	March 3, 2020
How to add field for logs from specific file Beats filebeat	2	1146	April 20, 2020
Filebeat field depending on Path Beats filebeat	4	484	February 19, 2018
Filebeat Configuration: Adding fields in filebeat.yml Beats filebeat	3	764	November 13, 2019

Add_field in filebeat individuell for each pattern

Related topics