How to parse a hostname

Mark_Tellier · October 27, 2015, 3:11am

I am new to Logstash and am having difficulty with a filter, I would like to replace a fully qualified host name with the short host name.

The possible host name values are inconsistent:
esx1.acme.com
esx2.acme.com
esx3
esx4.acme.com

I have tried variations of the following, the split filter works, creating an array ["esx4", "acme", "com"].
I would like to replace the syslog_hostname array with just the hostname and skip the filter if the string value doesn't contain the .acme.com domain name:

mutate {
split => ["syslog_hostname", "."]
replace => ["syslog_hostname", "%{[syslog_hostname][0]}"]
}

Any assistance would be much appreciated.

Thanks.

magnusbaeck · October 27, 2015, 7:06am

You must not count on the different options to the mutate filter to be run in the order specified because

mutate {
  a => b
  c => d
}

and

mutate {
  c => d
  a => b
}

are equivalent. In your case the replace option happens to be evaluated first, then the split. Split your mutate filter in two consecutive filters or use the gsub option.

Mark_Tellier · October 28, 2015, 1:33am

Magnus,

Your recommendation worked, thanks for your prompt response.
The following replaces my hostname from esx1.acme.com to esx1.

mutate {
  split => ["syslog_hostname", "."]
}
mutate {
  replace => ["syslog_hostname", "%{[syslog_hostname][0]}"]
}

Thanks