Logstash filter help pleas

alexsamad · March 15, 2023, 5:33am

Hi

I'm in the process of trying to migrate my config from 6.7 to 8.x
I have found I have to rewrite my logstash rules - okay probably a good time to do that.
On that note - my filebeat 6.7 client worked fine, when i upgraded my client o 8.4 it started to fail - but all good.

what I would like some help on is

I base the index on the host name I have env dev1 dev2 dev3 etc. each inv has app1 app3 app5 db jmp rp so dev1app1 dev1app3 etc etc .

so i have a if then else with lots of else if basically doing this

if [host][name] =~ "^dev10" {
        mutate {
          add_field => { "env" => "dev10" }
        }
      } else if [host][name]=~ "^dev11" {
....

I was thinking it would be better if I can regex out the env from the hostname
with something like

grok {
    match => {
      [host][name]  => "^(?<env>)(app|geode|rp|db|jmp)"
    }
  }

But that doesn't work

help please

Cad · March 17, 2023, 9:25am

Based on this code part :

It seems you just do a copy of the host.name field into the env field.
So you can use the copy option of the mutate filter

mutate {
    copy {
        copy => { "[host][name]" => "env" }
    }
}

But if your host.name can contain dev1app3 and you just want the dev1 part so grok is not a bad solution :

grok {
    match => {
      [host][name]  => "(?<env>dev%{NUMBER})"
    }
}

Cad.

alexsamad · March 17, 2023, 12:10pm

Yes the bottom one makes sense

Thanks

system · April 14, 2023, 12:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter out beat.* Logstash	3	229	April 15, 2019
Logstash from multiple beats server Logstash	2	185	February 16, 2023
Grok filter on logstash Logstash	5	438	March 30, 2020
Grok parse faliure filebeat 6.0 Logstash	5	562	January 2, 2018
Filebeat store under different index per host? Beats filebeat	6	1655	June 8, 2017

Logstash filter help pleas

Related Topics