Grab value from message field and add it to a new field

niraj_kumar · May 5, 2016, 11:53pm

Hi,

How do i grab a particular value from my initial message field and use to configure it in a new field.

My message field looks like this:

2016-05-05 23:47:30,939 INFO [qtp796460995-1114] [puppet-server] Puppet 'store report' command for niraj-dev-03-shard2-mongodb03 submitted to PuppetDB with UUID 6c209aa7-540f-431f-88f5-75c84dca2fa7

I want the hostname niraj-dev-03-shard2-mongodb03 from my message field and use that to create a new field named host. How do i achieve this.

--
Niraj

warkolm · May 6, 2016, 1:42am

You can use grok to match the entire pattern, then you can use that field elsewhere - https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

niraj_kumar · May 6, 2016, 3:11am

It would be really helpful if you can demonstrate and example. I had a look at this website but seems to be bit confusing.

warkolm · May 6, 2016, 4:26am

Maybe this will be better https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html#configuring-grok-filter

fbaligand · May 6, 2016, 9:37pm

grok {
  match => [ "message", "command for %{NOTSPACE:host}"]
}

Topic		Replies	Views
Help to create new field from message Logstash	2	312	February 20, 2023
Extracting a new field from the message field Logstash	9	4884	April 6, 2020
How to fetch specific data from message text and add it in new field Elasticsearch	1	402	February 7, 2019
Replace content of host field with part from message field Logstash	4	1449	July 6, 2017
Adding new fields from grok filter in logstash Logstash	1	547	November 20, 2018

Grab value from message field and add it to a new field

Related topics