Fetching substring from a string in kibana

Neelam_Zanvar · July 12, 2023, 10:33am

Hi, I have a field called url in elasticsearch document.
The sample value for the field is /3dpassport/login
I want to extract only the first string before / that is 3dpassport and store it in a field.
I am okay with doing this using logstash mutate as well. i tried it, but it is not working

        copy => {
          "url" => "service_name"
        }
        split => {
          "service_name" => "/"
        }

with the above config both url and service_name have the value /3dpassport/login
I want to retain the original value of url and save 3dpassport in service_name.
If i change the config as follows

        copy => {
          "url" => "service_name"
        }
        split => {
          "url" => "/"
        }


``
then both url and service_name are having the split values. How can i achieve this?

tsullivan · July 12, 2023, 8:38pm

Hi, I think you want to try the "mutate" filter to split the URL field and store part of the splitted result into a new field. Here's an example that might help:

filter {
  mutate {
    split => ["url", "/"]
    add_field => { "service_name" => "%{[url][1]}" }
  }
}

I haven't tried this and this could contain errors. If you need more help, you might want to ask this question in the Logstash area of this forum: https://discuss.elastic.co/c/elastic-stack/logstash/14

Rios · July 12, 2023, 9:33pm

It's common way to use as tsullivan suggested and will work.

Also, it's not forbidden to use parsers:

   dissect { 
     mapping => {  "url" => "/%{urldiss}/%{}" }
   }
 
   grok { match => { "message" => [ "^\/%{DATA:urlgrok}\/"] } }

Neelam_Zanvar · July 13, 2023, 7:42am

but in this case i will loose the original value of url. i want url to have the entire string. and the service name to be the
%{[url][1]}

tsullivan · July 13, 2023, 6:02pm

If you are losing the original value, double-check your config. The substring you need should be added as a new field and leave your url field alone.

Neelam_Zanvar · July 19, 2023, 9:31am

copy => {
          "url" => "service_name"
        }
        split => {
          "service_name" => "/"
        }
        add_field => { "service" => "%{service_name[1]}" }

Here is the code. In this case
url => /3dpassport/healthcheck
service_name=> /3dpassport/healthcheck

there is no separate field created for service
After making changes in pipeline i have deleted and recreated data views

Neelam_Zanvar · July 26, 2023, 6:25am

copy => {
          "url" => "service_name"
        }
        split => {
          "service_name" => "/"
        }
        add_field => { "service" => "%{service_name[1]}" }

Here is the code. In this case
url => /3dpassport/healthcheck
service_name=> /3dpassport/healthcheck

there is no separate field created for service
After making changes in pipeline i have deleted and recreated data views

Neelam_Zanvar · July 27, 2023, 6:17am

if i put it in this format
"%{[url][1]}"
i am getting service name as
service_name => %{[url][1]}

and if i put "%{url[1]}" there is no service field generated. looks like some syntax problem accessing the array

tsullivan · July 31, 2023, 8:58pm

Hi Neelam, I'm sorry we didn't give an answer that helped you here and here. You may want to try the Logstash area of this forum for help with this.

system · August 28, 2023, 8:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.