Fetching substring from a string in kibana

Elastic Stack Kibana
1

Hi, I have a field called url in elasticsearch document.
The sample value for the field is /3dpassport/login
I want to extract only the first string before / that is 3dpassport and store it in a field.
I am okay with doing this using logstash mutate as well. i tried it, but it is not working

        copy => {
          "url" => "service_name"
        }
        split => {
          "service_name" => "/"
        }

with the above config both url and service_name have the value /3dpassport/login
I want to retain the original value of url and save 3dpassport in service_name.
If i change the config as follows

        copy => {
          "url" => "service_name"
        }
        split => {
          "url" => "/"
        }


``
then both url and service_name are having the split values. How can i achieve this?
2

Hi, I think you want to try the "mutate" filter to split the URL field and store part of the splitted result into a new field. Here's an example that might help:

filter {
  mutate {
    split => ["url", "/"]
    add_field => { "service_name" => "%{[url][1]}" }
  }
}

I haven't tried this and this could contain errors. If you need more help, you might want to ask this question in the Logstash area of this forum: https://discuss.elastic.co/c/elastic-stack/logstash/14

3

It's common way to use as tsullivan suggested and will work.

Also, it's not forbidden to use parsers:

   dissect { 
     mapping => {  "url" => "/%{urldiss}/%{}" }
   }
 
   grok { match => { "message" => [ "^\/%{DATA:urlgrok}\/"] } }
1 Like
4

but in this case i will loose the original value of url. i want url to have the entire string. and the service name to be the
%{[url][1]}

5

If you are losing the original value, double-check your config. The substring you need should be added as a new field and leave your url field alone.

6 
copy => {
          "url" => "service_name"
        }
        split => {
          "service_name" => "/"
        }
        add_field => { "service" => "%{service_name[1]}" }

Here is the code. In this case
url => /3dpassport/healthcheck
service_name=> /3dpassport/healthcheck

there is no separate field created for service
After making changes in pipeline i have deleted and recreated data views

1 Like
7 
copy => {
          "url" => "service_name"
        }
        split => {
          "service_name" => "/"
        }
        add_field => { "service" => "%{service_name[1]}" }

Here is the code. In this case
url => /3dpassport/healthcheck
service_name=> /3dpassport/healthcheck

there is no separate field created for service
After making changes in pipeline i have deleted and recreated data views

8

if i put it in this format
"%{[url][1]}"
i am getting service name as
service_name => %{[url][1]}

and if i put "%{url[1]}" there is no service field generated. looks like some syntax problem accessing the array

9

Hi Neelam, I'm sorry we didn't give an answer that helped you here and here. You may want to try the Logstash area of this forum for help with this.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.