the string manipulations has been hard from me with logstash, how do i do substr(destinationid,instr(destinationid,"discard"),7)
Wouldn't substr(destinationid,instr(destinationid,"discard"),7) always return "discard"? Perhaps you can give an example of an input string and the desired result.
destinationid=aadiscardsomething
it is for substr(destinationid,instr(destinationid,"discard"),14)
i want to extract "discardsome"
You can use a grok filter to extract strings from other strings.
grok {
match => ["destinationid", "(?<fieldname>discard.{7})"]
}
This extracts a new field named fieldname from the field destinationid, starting with "discard" and followed by the seven characters thereafter, i.e. if destinationid contains "aadiscardsomething" then fieldname will contain "discardsomethi".
Thanks a lot. Can u suggest some document which i can refer to avoid these queries in future 
.
How about the grok filter's documentation?
Well its not much on examples or complete syntax ,
for example i did see Custom Patterns but i couldnt figure out how to use it in the filter but
after seeing your post grok {
match => ["destinationid", "(?discard.{7})"]
}
now i get it . May be i will get used to this in a while.
For example now i am puzzled with what to do if i need the rest of the string without specifying length.
do i use
grok {
match => ["destinationid", "(?discard)"] , i guess i have to do trial and error
}
Thanks,
sam
Well its not much on examples or complete syntax ,
What part of the syntax isn't covered?
For example now i am puzzled with what to do if i need the rest of the string without specifying length.
You mean all of the string from "discard" and onwards? Just use (?<fieldname>discard.*).
do i use
grok {
match => ["destinationid", "(?discard)"] , i guess i have to do trial and error
}
If you format the configuration snippets as code you won't run the risk of getting things stripped because the look like HTML (or whatever).