Extracting filename from existing source field?

roly · November 9, 2018, 9:24am

How do i extract source filename from the existing field which standard field from logstash which is (Source)?

input {
  beats {
    port => 5044
    host => "0.0.0.0"
  }
}

filter {
  grok {
    patterns_dir => ["/etc/logstash/conf.d/patterns"]
    match => { "message" => "%{LOGLEVEL:log_lvl}\s+\[%{TIMESTAMP_ISO8601:time_stamp}\]\s+\[%{REQID:req_id}\]\s+%{JAVACLASS:class_name}:\s+%{JAVALOGMESSAGE:log_msg}" }
    match => { "sourcename" => "/var/log/.*?/(?<logfolder>.*?)/" }
  }
 mutate {
    remove_field => ["message"]
    #remove_field => ["beat"]
    remove_field => ["[host]"]
 }
 mutate {
   add_field => {
        "host" => "%{[beat][hostname]}"
   }
 }
}

output {
        elasticsearch {
                user => "elastic"
                password => "changeme"
                hosts => "localhost:9200"
                manage_template => false
                index => "logstash-%{+YYYY.MM.dd}"
                document_type => "%{[@metadata][type]}"
        }
}

we are not getting any result as sourcename field !!

system · December 7, 2018, 9:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.