How Do I Change The Format Of A Metric/File Beat Log Field?

kss · April 9, 2021, 3:12pm

I am using ElasticSearch FileBeat and MetricBeat to provide logging for my apps. I am using Grafana to visualize this log data.

I do have a question though regarding the host.hostname field....

This field is storing the hostname in the following format:

ip-10-109-4-123.us-west-2.compute.internal

I am wondering if if it possible to change this format so that it stores the hostname as follows:

ip-10-109-4-123

Or, can I add a new field to the this log record that is based on the hostname field but with the ".us-west-2.compute.internal" stripped off?

Thanks

kavierkoo · April 11, 2021, 6:19pm

Hi Kss,

I know of few ways to do it:

you can use processors like Dissect for filebeat or metricbeat. This will add/modify the logs being stored into elasticsearch.
you can use Scripted field, this is on the fly hence no altering of logs but this is resource intensive on Kibana and might affect performance of Kibana.
If you have a logstash, it will be easier to filter with GROK, Dissect and etc. This will add/modify the logs being stored into elasticsearch.

Hope this helps you!

legoguy1000 · April 12, 2021, 12:26am

hoat.hostname is populated by whatever is returned by the hostname command which is what's located in /etc/hostname. Is host.name populated? I would go with the dissect processor to generate the field u want from the fqdn as mentioned above.

kss · April 12, 2021, 9:38pm

Thanks Kavier, I'll give Dissect a try. I tried scripted fields, but it doesn't look like I can access them with Grafana.

kss · April 12, 2021, 9:58pm

I'm trying to get my brain around the syntax of dissect.

But first a question, does dissect create a new field, or does it operate on the source fields and modify it.

Second, what would the format be for the dissection. Based on the example in the doc this is what I'm coming up with.

Source string: ip-10-109-4-123.us-west-2.compute.internal
(I want only ip-10-109-4-123)

Would the format be: "%{ipaddress}.%{region}.%{level2domain}.%{topleveldomain}"

Would this ADD the three fields to the document: ipaddress, region, level2domain and topleveldomain?

kss · April 12, 2021, 11:22pm

This came in handy!
https://dissect-tester.jorgelbg.me/

kss · April 13, 2021, 3:22am

Dissect works great. Thanks guys!

system · May 11, 2021, 5:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.