Hi,
I have a field with value "sv4axmaic04". I need to extract value before "axmaic". But substring "axmaic" is same/constant across all the field values. So I just need to extract value "sv4" from the given example.
Can I use dissect as below: Or any other better way
dissect {
mapping => {
"message" => "%{field1}axmaic%{field2}"
}
}
But i don't want field2 getting created here.
If you do not want field2 created then do not give it a name, just use %{}.
Another option would be to use a regexp to match the first three characters of the field
grok { match => { "message" => "^(?<field1>...)" } }Thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.