Create field form file name

ManuelF · March 10, 2021, 5:30pm

Hi,

Note: Running ELK 7.10.1

I am trying to generate a new field using Grok, by extracting data from the file name.

File name comes from "path".

path => "/opt/app_logs/*.log"

Example:

ip_block-hgTest.Dev1test-2021-03-10_09_10.log

Grok filter:

grok {
    match => { "path" => "ip_block-%{HOSTNAME:Device}-%{DATA}.log" }
    tag_on_failure => []
}

Result:

hgTest.Dev1test-2021-03

The result it's almost what I need, but for some reason is including part of the date next to the hostname.

The desired result should be just: hgTest.Dev1test

Any idea about what could I be doing wrong?

aaron-nimocks · March 10, 2021, 5:54pm

The regex for HOSTNAME doesn't work for that format in your data. You can see that here.

If you can't find another pattern that will work then just ip_block-%{DATA:Device}-%{DATA:Date}.log will.

ManuelF · March 10, 2021, 7:01pm

Thank you @aaron-nimocks . Solution provided worked like charm!!

Cheers!!

system · April 7, 2021, 7:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.