Extract server name from fqdn

vijay_kaali · March 21, 2020, 4:15am

in beat.hostname, some are in CAPS / small , lower /upper case characters .
To stabilize the search, i want to extract server name without fqdn and store in new field in lower case i tried following

mutate {
split => { "beat.Hostname" => "." }
add_field => { "host1" => "%{[beat][Hostname][1]}" }
lowercase => [ "host1" ]
}
mutate {
add_field => { "host2" => "beat.Hostname"]
split => { "host2" => "." }
add_field => { "host1" => "%{host2[0]}" }
lowercase => [ "host1" ]
}

but in both cases host1 value %{[beat][Hostname][1]}" or "%{host2[0]}" or in elk
Am i missing anything

Badger · March 22, 2020, 4:46pm

If the field name contains a period you would refer to it as beat.hostname. If the beat field is an object that contains a Hostname field then you would refer to it as [beat][Hostname]. I suspect you need to update your split option.

vijay_kaali · March 23, 2020, 1:44pm

// add_field => { "host1" => "%{beat.Hostname[1]}" } //
This setting throws error

Badger · March 23, 2020, 2:49pm

Is the beat field an object that contains a hostname field, or is the field named beat.hostname?

vijay_kaali · April 14, 2020, 4:45am

I am able to do this via workaround
copy nesting field to temp field
add field host1 > beat.hostname
split field host1 , "."
add_field shhost > host1[0]

system · May 12, 2020, 4:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split filebeat name Logstash	3	307	June 26, 2019
Mutate beats field Logstash	10	3633	March 14, 2017
How to add hostname to logs that normally do not contain hostname? Beats	14	12777	July 19, 2016
How to replace the value of beat.hostname? Beats filebeat	2	12721	July 22, 2016
Modifying / using beats field in logstash filter Logstash	2	829	October 31, 2017

Extract server name from fqdn

Related topics