I have a field in my message where I only need the last part of the string but the message length varies for different environments. I tried using grok to fetch the last part of the message but unable to get the expected output
input log
"loggroup" : "test-environment-qa"
or
"loggroup" : "test-dev"
or
"loggroup" : "authentication-group-env-perf"
expected output:
"loggroup" : "qa"
or
"loggroup" : "dev"
or
"loggroup" : "perf"
how to get the expected output in logstash using filters ?
Use mutate+gsub
mutate { gsub => [ "loggroup", ".*\-([^-]+)$", "\1" ] }
The \1 references the capture group (the stuff inside parentheses) which is one or more characters that are not -, anchored to the end of the line.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.