I have following logstash conf snippet, but it doesn't work. I got the idea of subfield from this stackoverflow thread. How can I make it to work? I am trying to split the http_refer field in my access log. Thanks.
filter {
kv {
source => "@message[http_referer]"
field_split => "&?"
value_split => "="
add_tag => "splited"
}
}
Yeah, great resource. I should have finished all the docs first just no so enough time...
A short answer for someone who didn't find on stackoverflow or come from Google, you can reference to a field name by [field_name].
You can omit the [ ] if it's top level field.
In nested situation/ sub field, use [level1][level2] syntax to reference.
If you want to refer to the value inside a string, use the "%{[level1][level2]}" syntax.
Can be a little confused it you are not used to the syntax.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.