Create field form file name

ManuelF · March 10, 2021, 5:30pm

Hi,

Note: Running ELK 7.10.1

I am trying to generate a new field using Grok, by extracting data from the file name.

File name comes from "path".

path => "/opt/app_logs/*.log"

Example:

ip_block-hgTest.Dev1test-2021-03-10_09_10.log

Grok filter:

grok {
    match => { "path" => "ip_block-%{HOSTNAME:Device}-%{DATA}.log" }
    tag_on_failure => []
}

Result:

hgTest.Dev1test-2021-03

The result it's almost what I need, but for some reason is including part of the date next to the hostname.

The desired result should be just: hgTest.Dev1test

Any idea about what could I be doing wrong?

aaron-nimocks · March 10, 2021, 5:54pm

The regex for HOSTNAME doesn't work for that format in your data. You can see that here.

If you can't find another pattern that will work then just ip_block-%{DATA:Device}-%{DATA:Date}.log will.

ManuelF · March 10, 2021, 7:01pm

Thank you @aaron-nimocks . Solution provided worked like charm!!

Cheers!!

system · April 7, 2021, 7:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract hostname from log file name Logstash	10	379	November 23, 2023
Grok filter add_field Logstash	6	2077	May 19, 2020
Extracting contents of the filename (from the source) and creating fields Logstash	7	5862	July 6, 2017
Help with file name to date logstash grok Logstash	3	244	September 21, 2023
Extract file name and add as a field Logstash	3	2426	September 18, 2021