How to get part of the path name and add it to the index

subbu.nv · April 16, 2016, 1:03am

0
down vote
favorite
I currently have a file name like this. [SERIALNUMBER][2014_12_04][00_45_22][141204T014214]AB_DEF.log

i basically want to extract the year from the file (2014) and add it to the index name in logstash conf file.logstash.conf Below is my conf file.

input {
file {
path => "C:/ABC/DEF/HJK/LOGS/**/*"
start_position => beginning
type => syslog
}
}
filter {

grok {
    match => { "message" => "%{COMBINEDAPACHELOG}"}
}

}

output {
elasticsearch {
index => "type1logs"
}
stdout {}
}

Please help. thanks

warkolm · April 16, 2016, 8:28pm

I'm not sure there is a way to do this. There is no timestamp in the file?

subbu.nv · April 16, 2016, 8:51pm

the time stamp is saved in different format "[2014_12_04][00_45_22]".
but is there a way to capture the current indexing time stamp and extract only the year , add it to the index?

warkolm · April 16, 2016, 9:01pm

Yes, use the date filter - https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html

subbu.nv · April 18, 2016, 10:45pm

thanks a lot for your help.

in the output section, i used like below and it is giving results as expected. i didnt add the date filter though.

output {
elasticsearch {
index => "%{+YYYY}_lsclient08"
}
stdout {}
}

YYYY is getting replaced with the current year 2016

magnusbaeck · April 19, 2016, 6:05am

You need a date filter if you want the "%{+YYYY}" to be replaced by the event's year field rather than the current year.

subbu.nv · April 20, 2016, 6:34pm

ok thanks a lot, it works.