Get filter value in add_field

kentatoi · May 27, 2019, 4:11pm

Hi,
I would like to get the path of my logs from Filebeat split it and get the name of my app_serv as a new field. I am using ELK-stack 6.6.0

Here that is what I am trying :

input { stdin { } }
filter {

  grok {
    patterns_dir => "/u01/app/elk-config/logstash/patterns"
    match => { "message" => "%{COMMONAPACHELOG}" }
    match => { "source" => "/u01/app/oracle/admin/%{DATA:domain}/%{DATA:app_server}/logs/%{DATA:filename}"}
  }
  mutate {
    add_field => {"app_server" => "%{app_server}"}
  }

}
output {

  stdout { codec => rubydebug }

}

but when I do that the value in the output doesn't show up. It seems Logstash doesn't recognize my filter name or Is it because the source path is null ?

"app_server" => "%{app_server}",
      "timestamp" => "27/Apr/2019:22:15:00 -0400",
       "response" => "404",
       "@version" => "1",
           "auth" => "-"

Thanks for your help

Badger · May 27, 2019, 7:42pm

What are you trying to do with that. I sets app_server to the value of app_server if it exists, or to "%{app_server} if it does not.

I do not see anything create a source field on an event, so that match in the grok filter is a no-op.

kentatoi · May 29, 2019, 12:59pm

Thanks for your answer. That is what I though but how can I split the file path that I send to Logstash by filebeat, get the filename part and create a field with that ?

Badger · May 29, 2019, 1:02pm

You can extract the filename from a path using

grok { match => { "someField" => "/(?<filename>[^/]+)$" } }

kentatoi · May 30, 2019, 4:32pm

Thanks for your answer . I found what I needed

system · June 27, 2019, 4:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.