I'm i a company where I need to ingest data from IIS.
I've enable the module but i'd like to modify a bit the pipeline. I've found that pipeline are stored in filebeat modules folder (on window : filebeat/module/iis/access/ingest/pipeline.yml). But, from my test pipelines are not executed in filebeat but transmitted to Elasticsearch.
And so, here is my issue. I need to parse the url.path to add the first part into another field.
I've tried multiples things :
Since i'm working with logstash, i've tried to make a grok pattern here. unfortunately, the url.path field does not exists yet because my IIS event has not been parsed yet.
I've also tried to edit the access/pipeline.yml and add the grok patter right after the messéage has been parsed.
Unfortunately, since the pipeline file is not executed by filebeat nor transmitted to elastic (i might be wrong on this part feel free to correct me) my new grok filter is not executed.
If anyone has an idea on how i could add a grok filter in IIS pipeline, i would realy appreciate
Oh and btw, i'd really appreicate not to reparse the message in logstash, i'm looking for an other solution that would be more "efficient"
Thanks by advance