Logstash mutate error for hostname

hi I meet a weird problem, I want to parse my hostname is "alexworkstation-alex", I wanna get the string "alexworkstation" , so I split the hostname by "-" . but I can't add_field .

this is follow with official doc: https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

my logstash.yml is :
input {
  beats {
    port => 5044
  }
}
filter {
  mutate {
    split => { "hlexname" => "-" }
    add_field => { "shortHostname" => "%{hlexname[0]}" }
  }
}
output {
        stdout { }
}



This is the output:

{
      "@version" => "1",
           "log" => {
          "file" => {
            "path" => "/workspace/log/alex.log"
        },
        "offset" => 261
    },
           "ecs" => {
        "version" => "1.5.0"
    },
      "hlexname" => [
        [0] "alexworkstation",
        [1] "alex"
    ],
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_mutate_error"
    ],
    "@timestamp" => 2020-12-03T08:47:31.030Z,
         "agent" => {
                "type" => "filebeat",
                  "id" => "ba946663-8b33-4cdc-9b16-ac1384ebcaee",
        "ephemeral_id" => "50cbd2de-89f2-4b57-bfa9-8b56d154c818",
             "version" => "7.7.1",
            "hostname" => "alexworkstation-alex"
    },
         "input" => {
        "type" => "log"
    },
       "message" => "Thu Dec  3 08:47:24 UTC 2020",
          "host" => {
        "name" => "alexworkstation-alex"
    }
}

rather :

filter {
  mutate {
    split => [ "hlexname", "-" ]
    add_field => { "shortHostname" => "%{hlexname[0]}" }
  }
}

tried. Doesn't work. keep mutate error

I fixed myself with add_field => { "shortHostname" => "%{[hlexname][0]}" }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.