match => ["message", "(?<Original_Time>%{YEAR}.%{MONTHNUM}.%{MONTHDAY} %{TIME}Z) (?%{SYSLOG5424SD}):(?%{SYSLOG5424SD}):(?%{SYSLOG5424SD}) (?(.|\r|\n)*)"]
break_on_match => false
mutate {add_field => {"lognodeinstance" => "%{lognode} %{loginstance}"} }
As you can see I am created a named capture called "lognode" and "loginstance" - is there a way to combine these two into one field called lognodeinstance - I have attempted it above but this prints the text literally!
Thanks
Well, no, I cannot see any named capture called lognode or loginstance. If those fields existed then that would be the right way to add a new field combining them. If those fields do not exist then you should expect to get the unsubstituted text.
@Badger So sorry - I was creating the named captures further down and trying to use them above, in the config file. I thought I was capturing them in the above match but I was doing this later! #facepalm.
sorry for wasting your time.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.