Get the name of the log file and create a tag or a custom field with that value

mar-ro · May 28, 2021, 1:01pm

Good afternoon.
I would like to know how I could in logstash create a tag (or a custom field) with a part of the value of the log.file.path.keyword field. Considering that this field stores the absolute path, I would be interested in getting only the file name.

I have tried several options, among them the following one, but I can't get this value

grok {
match => [ "log.file.path.keyword" , "(?<filename>[a-zA-Z0-9.]*$)"]]
overwrite => [ "filename" ]
}

Can you tell me how to properly configure logstash to get that value?
Thanks!

Badger · May 28, 2021, 4:58pm

The grok pattern looks right, but .keyword is an elasticsearch thing and that field does not exist in logstash. You probably want

match => { "[log][file][path]" => "(?<filename>[a-zA-Z0-9.]*$)" ] }

logstash uses a different syntax to represent objects that have nested fields. It can easily distinguish between [foo.bar] (a field with a dot in its name) and [foo][bar] (and object with a field called bar in it).

system · June 25, 2021, 4:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.