Get the name of the log file and create a tag or a custom field with that value

mar-ro · May 28, 2021, 1:01pm

Good afternoon.
I would like to know how I could in logstash create a tag (or a custom field) with a part of the value of the log.file.path.keyword field. Considering that this field stores the absolute path, I would be interested in getting only the file name.

I have tried several options, among them the following one, but I can't get this value

grok {
match => [ "log.file.path.keyword" , "(?<filename>[a-zA-Z0-9.]*$)"]]
overwrite => [ "filename" ]
}

Can you tell me how to properly configure logstash to get that value?
Thanks!

Badger · May 28, 2021, 4:58pm

The grok pattern looks right, but .keyword is an elasticsearch thing and that field does not exist in logstash. You probably want

match => { "[log][file][path]" => "(?<filename>[a-zA-Z0-9.]*$)" ] }

logstash uses a different syntax to represent objects that have nested fields. It can easily distinguish between [foo.bar] (a field with a dot in its name) and [foo][bar] (and object with a field called bar in it).

Topic		Replies	Views
Unable to add tag with filename Logstash	5	532	June 6, 2022
Matching log.file.path with Grok Logstash	2	2094	July 1, 2020
Extracting filename from log.file.path not working Logstash	9	11707	April 2, 2020
Unable to get filename pattern from log.file.path value Logstash	3	682	November 19, 2019
Match log.file.path in Grok Logstash	3	3516	May 18, 2019

Get the name of the log file and create a tag or a custom field with that value

Related topics