I have the following grok filter which extracts the file_extension from a field. It works except fine for files which have no extension, which generate a _grokparsefailure tag. For files with no extension, I would like the file_extension value set to an empty string. How can I accomplish this? Thank you!
grok {
match => { "file_path" => "(?<file_extension>\.[^.]+$)"}
keep_empty_captures => true
}
First thought is to only grok if it contains a period and if not then add the field with empty string.
if "." in [file_path] {
grok {
match => { "file_path" => "(?<file_extension>\.[^.]+$)"}
keep_empty_captures => true
}
} else {
mutate { add_field => { "file_extension" => "" } }
}
That works! I actually chose to check the regex instead of just checking for a period in the string.
if ([file_path] =~ /\.[^.]+$/ ) {
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.