Hi, I think you want to try the "mutate" filter to split the URL field and store part of the splitted result into a new field. Here's an example that might help:
filter {
mutate {
split => ["url", "/"]
add_field => { "service_name" => "%{[url][1]}" }
}
}
I haven't tried this and this could contain errors. If you need more help, you might want to ask this question in the Logstash area of this forum: https://discuss.elastic.co/c/elastic-stack/logstash/14