How to extract data from filename using logstash?

reillye · December 2, 2020, 2:56pm

I am using filebeat to monitor a directory for new files that get dropped in every hour. The files are then sent to logstash to be parsed before being sent to ES. The filenames are in this format

aldb-E6-20201015232941.csv or possibly aldbE6-20201015232941.csv

I need to be extract the data aldb and E6 from the filename and add it to the index. Can I do this using logstash?

I know I can get the filepath using [log][file][path] which returns a value like /var/data/filebeat/source/aldb-E6-20201015232941.csv, but how can I then extract the information I need from that?

Badger · December 2, 2020, 4:04pm

You could do that using grok

grok { match => { "[log][file][path]" => "/(?<firstBit>.{4})(-)?(?<secondBit>.{2})-\d+\.%{WORD}$" } }

reillye · December 2, 2020, 4:46pm

That works, thanks!

system · December 30, 2020, 4:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.