Hello, I am using logstash to collect data from FortiGate. I have one special field to check the number of connections per day. This "vpn" field looks like sz_forti, szec_forti. I need to take the first characters before _ (for example sz_forti -> sz) in order to test them with a pattern and then group them. How can you do this? (in python, you can split by separator and make an array from a string, but since I'm new to elasticsearch this became a problem for me)
Full code of conf.d
input { udp { port => 5517 type => "forti_log" } } filter { if [type] == "forti_log" { kv { source => "message" exclude_keys => [ "type", "subtype" ] } geoip { source => "dst" } geoip { source => "dstip" } geoip { source => "src" } geoip { source => "srcip" } mutate { rename => [ "dst", "dst_ip" ] rename => [ "dstip", "dst_ip" ] rename => [ "dstport", "dst_port" ] rename => [ "devname", "device_id" ] rename => [ "status", "action" ] rename => [ "src", "src_ip" ] rename => [ "srcip", "src_ip" ] rename => [ "zone", "src_intf" ] rename => [ "srcintf", "src_intf" ] rename => [ "srcport", "src_port" ] rename => [ "rcvd", "byte_recieved" ] rename => [ "rcvdbyte", "bytes_recieved" ] rename => [ "sentbyte", "bytes_sent" ] rename => [ "sent", "bytes_sent" ] convert => ["bytes_recieved", "integer"] convert => ["bytes_sent", "integer"] remove_field => [ "msg" ] }
if [ filter by delimiter must be here, for example for an input sz_teplov -> sz -> add_field ["Energetic"] [sczv_vedom -> sczv -> add_field ["MGBD"]]]
} } output { if [type] == "forti_log" { elasticsearch { hosts => "localhost:9200" index => "forti-%{+YYYY.MM.dd}" } } }