Match beats "source"

Zfs · April 29, 2016, 3:41pm

match => { "source" => "C:\Progra~1\worker\engine\work\%{INT:logID}" }

I have grok matching "message" but I'm trying to match the source from where beats reads in the file. Adding a match for source under grok doesn't seem to detect source at all.

How can I go about extracting a field from the source?

Thanks

magnusbaeck · April 30, 2016, 3:29pm

Do you have this line in a grok filter of its own? The backslashes probably need to be escaped. Try this:

C:\\Progra~1\\worker\\engine\\work\\%{INT:logID}

Zfs · April 30, 2016, 4:43pm

Hi Magnus,

I had the double basckslashes but they were probably stripped when I posted. I separated the "source" grok filter from the "message" grok filter and that did the trick.

Thanks for your help.

Topic		Replies	Views
Doesn't work when trying to match on "source" and "message" in the same grok Logstash	2	540	January 16, 2020
Extract field from source Logstash	7	663	May 4, 2018
Extracting filename from existing source field? Logstash	1	527	December 7, 2018
Matching a nested field in a JSON formatted log Logstash	3	1011	June 12, 2019
Grok Trying to continue with pattern based on match Logstash	7	1497	July 21, 2019

Match beats "source"

Related topics