Logstash extract first 3 chars of a field into another field


(Samnik60) #1

i tried using grok for this but not getting anywhere . anyone tried this before ??
grok {
add_field => [ "named_raw_message", "%{@field}[1..3]" ]
}
Thanks,
sam


(Magnus B├Ąck) #2

The [1..3] syntax isn't part of Logstash's standard configuration language, which is why I pointed you to the ruby filter.

Also, your add_field will never be used since its conditional upon the successful completion of the grok filter. Since you don't have any match expressions set up it will be never be deemed successful. Perhaps you meant to use a mutate filter instead?


(Samnik60) #3

I was just trying out grok for this use case, the documentation was not enough for me to implement this feature, may be i need to get familiar with languages like ruby to get the hang of these plugins


(system) #4