Dotted fieldnames, how to create?

WimDH · April 27, 2020, 7:30pm

Hi all,

Not sure if this is the right place to ask...
I'm new to ElasticStack, and I'm trying to find documentation on how fieldnames are built.
When I look at Kibana Discover, I see fieldnames like host.name and system.auth.program.
I was able to successfuly add my custom logfile mylog.log, and my fieldnames defined in a grok filter are field1, field2.
I'm looking on how I can create a field like mylog.field1 and mylog.field2`

I'm not sure on what to search (and I'm ok reading documentation).
Can someone please point me to the right docs?

Thanks a lot!

KoettingSimon · April 27, 2020, 7:49pm

Hi WimDH,
the term you looking for is nested fields.
It should work with putting a [mylog] in front of your fields in the GrokPattern.
Like

%{GREEDYDATA:[mylog]field1}

Regards,
Simon

Badger · April 27, 2020, 9:16pm

That may work in a grok filter, but in a sprintf reference that would get an ambiguous field reference error. It would be better to use [mylog][field1].

system · May 25, 2020, 9:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.