Dotted fieldnames, how to create?

WimDH · April 27, 2020, 7:30pm

Hi all,

Not sure if this is the right place to ask...
I'm new to ElasticStack, and I'm trying to find documentation on how fieldnames are built.
When I look at Kibana Discover, I see fieldnames like host.name and system.auth.program.
I was able to successfuly add my custom logfile mylog.log, and my fieldnames defined in a grok filter are field1, field2.
I'm looking on how I can create a field like mylog.field1 and mylog.field2`

I'm not sure on what to search (and I'm ok reading documentation).
Can someone please point me to the right docs?

Thanks a lot!

KoettingSimon · April 27, 2020, 7:49pm

Hi WimDH,
the term you looking for is nested fields.
It should work with putting a [mylog] in front of your fields in the GrokPattern.
Like

%{GREEDYDATA:[mylog]field1}

Regards,
Simon

Badger · April 27, 2020, 9:16pm

That may work in a grok filter, but in a sprintf reference that would get an ambiguous field reference error. It would be better to use [mylog][field1].

Topic		Replies	Views
How to create new logstash grok field Logstash	2	273	January 24, 2023
Dynamic fields name within grok match Logstash	3	1139	November 18, 2021
Help with Logstash filter Logstash	3	257	November 10, 2020
Creating nested fields with Grok Logstash	2	686	October 1, 2019
Indexing custom fields from grok filter Logstash	6	4110	July 6, 2017

Dotted fieldnames, how to create?

Related topics