Hi,
I can't quite figure out how to use dissect/grok in an ingest pipeline to obtain the basename from a UNIX path. Basically, I would like each of the following inputs to return { "name" : "ssh" }:
ssh
bin/ssh
/usr/bin/ssh
Thanks.
I think you need a combination of two Grok patterns, to handle those situations where there is a slash and those where there is not. A combination of these patterns should work: ["^.*/%{DATA:name}$", "^%{DATA:name}$"]
POST /_ingest/pipeline/_simulate
{
"pipeline": {
"processors": [
{
"grok": {
"field": "input",
"patterns": ["^.*/%{DATA:name}$", "^%{DATA:name}$"]
}
}
]
},
"docs": [
{
"_source": {
"input": "ssh"
}
},
{
"_source": {
"input": "bin/ssh"
}
},
{
"_source": {
"input": "/usr/bin/ssh"
}
}
]
}
Thanks, Abdon 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.