By default, web server logs don't include the vhost. But yes, if you want to distinguish traffic from different vhosts, make sure to add it to your logs (or produce distinct logs per vhost).
Next I assume you're already breaking down your http traffic between the http and url field sets.
Trivial (and incomplete) example document:
{ "http": { "method": "get", "status_code": 200, ...}
"url": { "path": "/assets/stylesheet.css", "domain": "www.example.com", ...}
}
So url.domain
would be my recommendation
Check this out as well Parsing URL with Logstash (using ECS fields) nested!