Extract server name from fqdn

vijay_kaali · March 21, 2020, 4:15am

in beat.hostname, some are in CAPS / small , lower /upper case characters .
To stabilize the search, i want to extract server name without fqdn and store in new field in lower case i tried following

mutate {
split => { "beat.Hostname" => "." }
add_field => { "host1" => "%{[beat][Hostname][1]}" }
lowercase => [ "host1" ]
}
mutate {
add_field => { "host2" => "beat.Hostname"]
split => { "host2" => "." }
add_field => { "host1" => "%{host2[0]}" }
lowercase => [ "host1" ]
}

but in both cases host1 value %{[beat][Hostname][1]}" or "%{host2[0]}" or in elk
Am i missing anything

Badger · March 22, 2020, 4:46pm

If the field name contains a period you would refer to it as beat.hostname. If the beat field is an object that contains a Hostname field then you would refer to it as [beat][Hostname]. I suspect you need to update your split option.

vijay_kaali · March 23, 2020, 1:44pm

// add_field => { "host1" => "%{beat.Hostname[1]}" } //
This setting throws error

Badger · March 23, 2020, 2:49pm

Is the beat field an object that contains a hostname field, or is the field named beat.hostname?

vijay_kaali · April 14, 2020, 4:45am

I am able to do this via workaround
copy nesting field to temp field
add field host1 > beat.hostname
split field host1 , "."
add_field shhost > host1[0]

system · May 12, 2020, 4:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mutate beats field Logstash	10	3633	March 14, 2017
How to add hostname to logs that normally do not contain hostname? Beats	14	12762	July 19, 2016
How to replace the value of beat.hostname? Beats filebeat	2	12715	July 22, 2016
Normalizing Host Name Beats metricbeat	5	467	December 27, 2022
How to avoid host.name field in filebeat Beats filebeat	5	1311	April 18, 2023

Extract server name from fqdn

Related Topics