Dotted fieldnames, how to create?

WimDH · April 27, 2020, 7:30pm

Hi all,

Not sure if this is the right place to ask...
I'm new to ElasticStack, and I'm trying to find documentation on how fieldnames are built.
When I look at Kibana Discover, I see fieldnames like host.name and system.auth.program.
I was able to successfuly add my custom logfile mylog.log, and my fieldnames defined in a grok filter are field1, field2.
I'm looking on how I can create a field like mylog.field1 and mylog.field2`

I'm not sure on what to search (and I'm ok reading documentation).
Can someone please point me to the right docs?

Thanks a lot!

KoettingSimon · April 27, 2020, 7:49pm

Hi WimDH,
the term you looking for is nested fields.
It should work with putting a [mylog] in front of your fields in the GrokPattern.
Like

%{GREEDYDATA:[mylog]field1}

Regards,
Simon

Badger · April 27, 2020, 9:16pm

That may work in a grok filter, but in a sprintf reference that would get an ambiguous field reference error. It would be better to use [mylog][field1].

system · May 25, 2020, 9:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dynamically create fields from another field with json input file Logstash	8	13	October 9, 2024
Use nested field names in Grok custom patterns Logstash ingest-pipeline	2	475	September 6, 2022
Logstash: Optional fields in grok Logstash	3	336	January 4, 2023
Multiple field names into single field name in elasticsearch Elasticsearch	2	296	August 18, 2021
How to handle unmapped fields Kibana	5	1485	November 27, 2023

Dotted fieldnames, how to create?

Related Topics