Filter to send only system shortnames

Elastic Stack Logstash
1

Hi,

I'm new to Logstash, and attempting to update our company's configuration which currently sends syslog data to Splunk.

I've searched on how to standardise the system naming, which may have the shortname or the longname or the IP.

I've successfully "replace"d the name using

filter {
  if [host] == "10.10.200.33" {
  mutate {
    replace => [ "host", "firewall" ]
    }
  }
}

That works. However.....

filter {
  split => ["host", "."]
  }
  mutate {
    replace => ["host", "%{[host][0]}"]
  }
}

gives a result in Splunk that simply shows:

hostname: %{[hostname][0]}

The split => ["host", "."] section is really a straight copy from other posts on this forum where there's been a "thanks, that works" response. I can't figure out why my filter's giving the string rather than giving the variable.

Any help appreciated.

Thanks,

Stuart.

2

Can you give an example of your data?

Also, I think you want to use the split action from the mutate filter, not the split filter, they are different things.

The split filter will split an array into multiple events, the split action from the mutate filter will split a string into an array based on a delimiter, but it won't create new events.

If you have something like this:
hostname: host.local.domain and you want to have hostname: [host, local, domain], then you need the split action from the mutate filter.

mutate {
    split => { "hostname" => "."}
}

This way you can access the data using %{[hostname][index]}

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.