Extract server name from fqdn

vijay_kaali · March 21, 2020, 4:15am

in beat.hostname, some are in CAPS / small , lower /upper case characters .
To stabilize the search, i want to extract server name without fqdn and store in new field in lower case i tried following

mutate {
split => { "beat.Hostname" => "." }
add_field => { "host1" => "%{[beat][Hostname][1]}" }
lowercase => [ "host1" ]
}
mutate {
add_field => { "host2" => "beat.Hostname"]
split => { "host2" => "." }
add_field => { "host1" => "%{host2[0]}" }
lowercase => [ "host1" ]
}

but in both cases host1 value %{[beat][Hostname][1]}" or "%{host2[0]}" or in elk
Am i missing anything

Badger · March 22, 2020, 4:46pm

If the field name contains a period you would refer to it as beat.hostname. If the beat field is an object that contains a Hostname field then you would refer to it as [beat][Hostname]. I suspect you need to update your split option.

vijay_kaali · March 23, 2020, 1:44pm

// add_field => { "host1" => "%{beat.Hostname[1]}" } //
This setting throws error

Badger · March 23, 2020, 2:49pm

Is the beat field an object that contains a hostname field, or is the field named beat.hostname?

vijay_kaali · April 14, 2020, 4:45am

I am able to do this via workaround
copy nesting field to temp field
add field host1 > beat.hostname
split field host1 , "."
add_field shhost > host1[0]

system · May 12, 2020, 4:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.