I have a field "host" that looks like this:
"aaa-b1.site.com"
I want to add a new field "env" containing only "b1". My filter:
grok {
match => {
"message" => "url:%{DATA:host}"
}
add_field => { "env" => ".*%{DATA:env}\.site\.com" }
How can I get a new field out of an existing field?
To extract the "b1" from host you could use
grok { match => { "host" => "%{WORD}-%{WORD:env}.site.com" } }© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.