I am using filebeat to get the nginx logs and pass them to the "wavefront" Now the log line in nginx looks like this:
- - [09/Jan/2018:09:16:07 +0000] "GET /abc/def/ghi/jkl/mnop? HTTP/1.1" 200 4471 "http://:8000" "ServiceHost/xxx" 0.035 0.035 .
Is there a way in the filebeat.yaml prospectors to read this logline but only send the the url 2 or 3 levels deep. So I only want to send /abc/def/ghi and not the whole to the wavefront.