Hi,
I have log line like this:
Grok Pattern:
(,"session":"(%{DATA:name}@%{DATA:company})?")?
and I want to split the email to values name and company and also save email as whole to session value. I can split it but I dont know how to save it to session value at the same time.
The values I want:
name: "kred06"
company: "gmail.com"
session: "kred06@gmail.com"
Can Anybody help?
An easy solution is to just create a new field after your grok and combine the 2 fields together.
mutate {
add_field => {
"session" => "%{[name]}@%{[company]}"
}
}
"session" => "kred06@gmail.com"
Thanks, but name and company are marked as optional. When they are not there, it will show in kibana "session" : "%{[name]}@%{[company]}" How can I repair this?
Add a conditional to only add that field if company and name both exist.
if [name] and [company] {
mutate {
add_field => {
"session" => "%{[name]}@%{[company]}"
}
}
}
In my mutate I have also replace => {"[type]" => "index-name"} That needs to go throught every time. Can I define multiple mutate blocks?
if [name] and [company] {
mutate {
add_field => {
"session" => "%{[name]}@%{[company]}"
}
}
}
mutate {
replace => {"[type]" => "index-name"}
}Yes. That will work.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.