How can we access a field that was created in a previous grok match step (eg. [app_name]) and dynamically use that value to control the value of "target" in the kv filter plugin?
eg:
grok {
match => { "[inputdata]" => "(?<app_name>[\w]+)"}
}
kv {
source => "[kv_params]"
target => "url_params"
#target => "%{[app_name]}_params" ## NOT WORKING
field_split => "&"
remove_field => "[kv_params]"
}
...
My first attempt was to try a similar approach used to access the metadata field %{[@metadata][beat]} in the output , but seems that it's not working within the filter / KV portion.