Hi,
I just wanna change my field value like this:
I have a log json with field:
"source_host": "dev-host-test.com.pl",
and i need to remove only .com.pl leave the old field and create new field with value:
"new_field":"dev-host-test"
Is there a simple way to do it with grok or other logstash options ?
Try something like this:
dissect {
mapping => {
"source_host" => "%{new_field}.%{}"
}
}
Yeah this solution work, but 
i have mixing source_host values like:
And i think this solution work only for message that have .com.pl , if message has correct value: only dev-host-test and i dont need to change anything i got an error:
[2019-02-05T09:29:14,315][WARN ][org.logstash.dissect.Dissector] Dissector mapping, pattern not found {"field"=>"source_host", "pattern"=>"%{index_field}.%{}",Then you might need a conditional as well to check if the field contains a dot.
Simple if ? like:
if ("*." in [source_host]) {
dissect {
mapping => {
"source_host" => "%{source_host}.%{}"
}
}
}Maybe something like this:
if [source_host] =~ /\./ {
dissect {
mapping => {
"source_host" => "%{new_field}.%{}"
}
}
} else {
mutate {
copy => { "source_host" => "new_field" }
}
}
Works perfectly <3 ! Thanks so much!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.