Add new fields based on hostname substring

lemospt · March 16, 2023, 10:43am

Hi guys,

i want to add new fields based on the information in hostname. Below the examples of what i need,

hostname=alfrdnsresolverfixed01
new fields: site=alfr, dns_type=fixed

hostname=boavdnsresolvermbbnat01
new fields: site=boav, dns_type=mbbnat

so site is the first 4 chars of hostname and dns_type is between dnsresolver and last 2 digits

thanks,

Badger · March 16, 2023, 3:08pm

Use grok

grok { match => { "hostname" => "^%{WORD:site}dnsresolver%{WORD:dns_type}\d" } }

lemospt · March 16, 2023, 3:50pm

more simple than i thought.

@Badger \ d in the end what means? 1 digit, 1 or more digits, something else...?

Badger · March 16, 2023, 4:05pm

\d means one digit. That may be followed by another digit or anything else. There is no need to match the entire field.

lemospt · March 16, 2023, 7:41pm

need to adjust things but work like a charm.

many thanks @Badger

Topic		Replies	Views
Split hostname into new fields Logstash	3	56	February 25, 2025
Grok add_field from another field Logstash	2	879	August 23, 2018
Logstash grok filter with regex Logstash	1	346	December 15, 2018
Create field form file name Logstash	3	408	April 7, 2021
Logstash grok for change field value Logstash	7	939	March 5, 2019