Can we extract folder and file out of log.file.path field?

Mehak_Bhargava · January 27, 2020, 8:57pm

Hi, I want to extract the folder and file name out of log.file.path filed we have in kibana. SO for example-

C:\Program Files (x86)\xxx SST\DispatcherAPP\logs\dispatcher.log

In this file path, I want to create a field which just shows DispatcherApp\dispatcher.log.
And I have multiple files under multiple prospectors in filebeat.yml so this field I could add will be for all different folder and file name.

Marius_Dragomir · January 28, 2020, 1:36pm

You can use a scripted field and the substring Java function in order to achieve this, but I'd recommend you do it from ingest time, either in FIlebeat, Logstash or in an Elasticsearch pipeline processor as it's done only once. If you do it with a scripted field it will be done every single time you query the data.

Mehak_Bhargava · January 28, 2020, 6:17pm

How can it be done from filebeat or logstash?

Marius_Dragomir · January 29, 2020, 10:51am

This is the guide on what Filebeat can do in regards to data processing:
https://www.elastic.co/guide/en/beats/filebeat/7.5/filtering-and-enhancing-data.html
As for logstash, the Grok and the dissect filter: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

For more info on them, the forums regarding those 2 products will be of more help.

Mehak_Bhargava · February 4, 2020, 7:05pm

I have data being processed how the documentation mentions. But my error is coming when I write an if statement on log file path to apply grok filter on. Something like this-

if [fields][tags] == "obapp-dotnet" {
    grok {
      break_on_match => false
      match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]
      if [path] = "dispatcher.log" {
	     grok{
		    match => {
               "message" => [ %{DATESTAMP:timestamp}%{SPACE}%{NONNEGINT:code}%{GREEDYDATA}%{LOGLEVEL}%{SPACE}%{NONNEGINT:anum}%{SPACE}%{GREEDYDATA:logmessage}]
	          }
        	 }
      else {
	  match => {
        "message" => [\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA}%{SPACE}%{JAVACLASS:javaClass}
          ]
      }
	 }
    }

system · March 3, 2020, 7:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract folder name as field in logstash Beats filebeat	8	793	June 16, 2022
Split filepath to a new field Logstash	3	553	December 21, 2022
Extract file name and add as a field Logstash	3	2445	September 18, 2021
Some newbie questions file path and message replacement Logstash	6	383	January 4, 2019
How to extract logstash log.file.path for filter Logstash	2	1193	July 30, 2020

Can we extract folder and file out of log.file.path field?

Related topics