Dynamic value of the add_field processor

Elastic Stack Beats
1

Hi!
In a Filebeat input I have a processor in Filebeat like this:

processors:

- add_fields:
    when:
      regexp:
        message: '[0-9]{8}\-?[a-zA-Z]'
      fileds:
        newfield: XXX

So, when a new line gets to this processor it tests agains that regex and if it matches, it adds a new field called 'newfield' to the event.

However, I would not need it to add 'XXX' as value I would need it to add the same value as the part of the message that matched, for example, for this input:

The quick brown fox whose id number was FX54J jumped over the lazy dog!

the event would not have any 'newfield' field, BUT for this input:

The quick brown fox whose id number was 12345678a jumped over the lazy dog!

it would have the value '12345678a' in the field 'newfield', and for this other input:

The quick brown fox whose id number was 55555555L jumped over the lazy dog!

the value of the 'newfield' would be '55555555L'

Can that be done? Or the value of the new field MUST ALWAYS be the same

Thanks a lot in advance!

2

Hi!

I would suggest to go with processor-script so as to programmatically identify and replace the field.

C.

3

Wow!! Thank you sooooo much, I did not know about the processor-script.

I have tried some scripts and yes, it can do the job

Thanks again!!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.