Extract folder name as field in logstash

anushka1203 · May 18, 2022, 7:05am

Hi everyone
The following is my filebeat input in my yml file-

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - C:\elk stack\logs\*\*\*\access.log

  tags: ["access"]

How can i extract a folder name as a field in my logstash config file?
for example, if my filepath is

C:\elk stack\logs\unit 1\LOGS-2022-1-2-12-30-17\lighttpd-2022-1-2-12-30-17\access.log

I need "unit 1" as an extracted value in a field named "tail_no."

Help would be appreciated

Thanks in advance

Rios · May 18, 2022, 7:46am

From some reason split by \ is working in Ruby as split("\") -double backslash,however LS from some reason cannot accept that. If you replace with a special character like | or # then split it's working fine.

    mutate {
         copy => { "message" => "filepath" }
      }
	 mutate {
	    gsub => [ "filepath", "[^\\]+$", "" ]
	 }
	 mutate {
	   gsub => [ "filepath", "[\\]", "|" ]
	 }
	 mutate {
	   split  => { "filepath" => '|' }
	   add_field  => { "tail_no" => '%{[filepath][3]}' }
	 }

anushka1203 · May 18, 2022, 9:24am

my file path gets saved in the field called log.file.path
how do i change your code accordingly cause right now i am getting this as the tail_no. field -

anushka1203 · May 18, 2022, 9:57am

i also tried replacing "filepath" with "[log][file][path]" but it still gives the tail_no. as %{[log][file][path][3]}

Rios · May 18, 2022, 11:26am

This will work:

  mutate {
         copy => { "[log][file][path]" => "filepath" }
      }
	 mutate {
	    gsub => [ "filepath", "[^\\]+$", "" ]
	 }
	 mutate {
	   gsub => [ "filepath", "[\\]", "|" ]
	 }
	 mutate {
	   split  => { "filepath" => '|' }
	   add_field  => { "tail_no" => '%{[filepath][3]}' }
	 }

anushka1203 · May 18, 2022, 12:43pm

it works, thank you so much!

Rios · May 19, 2022, 4:27am

Also you can have a cleaner output with @metadata

   mutate {
        copy => { "[log][file][path]" => "[@metadata][filepath]" }
     }
	 mutate {
	    gsub => [ "[@metadata][filepath]", "[^\\]+$", "" ]
	 }
	 mutate {
	   gsub => [ "[@metadata][filepath]", "[\\]", "|" ]
	 }
	 mutate {
	   split  => { "[@metadata][filepath]" => '|' }
	   add_field  => { "tail_no" => '%{[@metadata][filepath][3]}' }
	 }

anushka1203 · May 19, 2022, 4:38am

noted. will implement this. thanks again!

system · June 16, 2022, 6:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Allow Filebeat to add folder names as fields Beats	4	1450	June 7, 2017
Get filter value in add_field Logstash	5	565	June 27, 2019
Can we extract folder and file out of log.file.path field? Kibana	5	2795	March 3, 2020
Split filepath to a new field Logstash	3	553	December 21, 2022
Extract File Name from source Logstash	3	13283	February 28, 2017

Extract folder name as field in logstash

Related topics