How to use grok to match filenames as indexes in logstash

ThePreMan · February 1, 2021, 1:14pm

We try to use developer names as indexes in logstash.
Therefore our filenames are something like: developer1.log
We have tried to use grok to match a certain part of the path as our filename. Nothing seems to be working-

We ship from filebeat to logstash.
This is our logstash conf.:

    input {
      beats {
        port => 5044
        client_inactivity_timeout => 84600
      }
    }
    filter {
      dissect {
        mapping => {
          "message" => "%{Index} %{timestamp} %{+timestamp} %{PTimestamp} %{Count} %{Ecuid} %{Apid} %{Ctid} %{SessionID} %{Type} %{Subtype} %{Mode} %{#Args} %{Payload}"
        }
      }
      grok { 
        match => ["path" => "/(?<filename>[^/]+).log" ]
      }
      mutate {
        convert => {
          "PTimestamp" => "integer"
          "Count" => "integer"
          "Index" => "integer"
          "#Args" => "integer"
        }
      }
      date {
        match  => [ "timestamp", "yyyy/MM/dd HH:mm:ss.SSSSSS" ]
      }
    }

    output {
      elasticsearch {
        hosts => ["http://elasticsearch-master:9200"]
        index => "%{filename}"
      }
    }

system · March 1, 2021, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.