match => { "source" => "C:\Progra~1\worker\engine\work\%{INT:logID}" }
I have grok matching "message" but I'm trying to match the source from where beats reads in the file. Adding a match for source under grok doesn't seem to detect source at all.
How can I go about extracting a field from the source?
Thanks
Do you have this line in a grok filter of its own? The backslashes probably need to be escaped. Try this:
C:\\Progra~1\\worker\\engine\\work\\%{INT:logID}Hi Magnus,
I had the double basckslashes but they were probably stripped when I posted. I separated the "source" grok filter from the "message" grok filter and that did the trick.
Thanks for your help.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.