Fetch substring from a string in logstash filter

Neelam_Zanvar · August 7, 2023, 6:23am

Hi, I have a field called url in elasticsearch document.
The sample value for the field is /3dpassport/login
I want to extract only the first string before / that is 3dpassport and store it in a field. Tried this

copy => {
          "url" => "service_name"
        }
        split => {
          "service_name" => "/"
        }
        add_field => { "service" => "%{service_name[1]}" }

In this case
url => /3dpassport/login
service_name=> /3dpassport/login

there is no separate field created for service
After making changes in pipeline i have deleted and recreated data views

if i put it in this format
add_field => { "service" => "%{[service_name][1]}" }
i am getting service name as
service=> %{[service_name][1]}

and if i put "%{url[1]}" there is no service field generated. looks like some syntax problem accessing the array

Badger · August 7, 2023, 5:36pm

A mutate filter does things in a fixed order, and copy happens after split. add_field comes last. Use two mutate filters

    mutate { copy => { "url" => "service_name" } }
    mutate {
        split => { "service_name" => "/" }
        add_field => { "service" => "%{[service_name][1]}" }
    }

system · September 4, 2023, 5:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fetching substring from a string in kibana Kibana	9	1513	August 28, 2023
Extract string from a field in logstash Logstash	8	4874	December 12, 2019
Substring a field from Logstash Logstash	3	2030	March 4, 2020
Picking substring from field in logstash Logstash	2	2911	September 20, 2017
Add a field starting from a substring of the file name Logstash	3	376	April 12, 2021

Fetch substring from a string in logstash filter

Related topics