Hi Guys,
I need help to fetch particular folder from the path and assign the same to a different field.
path ==> /var/mqm/qmgrs/FOLDER_NEEDED/errors/*.log.
I need to extract FOLDER_NEEDED and assign it to a field for every message.
Thanks.
Are you saying that the events in logstash always have a field called path? And is the data you need to extract always the fourth directory name?
That is right. All messages have a field path.. I need to extract the folder from path and assign to a new field in the message
OK, so a UNIX path contain directory names separated by /. A directory name cannot contain /. So you could either go after the 4th directory name, or the last but one directory name. Either of these should work
grok { match => [ "message", "^/[^/]+/[^/]+/[^/]+/(?<dir1>[^/]+)" ] }
grok { match => [ "message", "/(?<dir2>[^/]+)/[^/]+/[^/]+$" ] }Thanks
match => { "path" => "/%{GREEDYDATA}/%{GREEDYDATA}/%{GREEDYDATA}/%{GREEDYDATA:folder}/%{GREEDYDATA}" } worked for me.
Generally, GREEDYDATA is going to be more expensive than [^/]+. It will work, it just burns a little more CPU.
Thank You. Yeah.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.