I need to perform a grok on the directory field with example value:
C:\Users\takuya\Desktop\_Summary presentation\references
Where the Desktop value is pulled out and saved as a new field containing the Desktop value.
Do you always need a value on 3rd position? What would be the field named?
You can use split instead grok.
input {
generator { "message" => 'C:\Users\takuya\Desktop\_Summary presentation\references'
count => 1 }
}
filter {
#dissect { mapping => { "message" => "%{disk}\%{dir1}\%{dir2}\%{_dir3}\%{dir4}\%{dir5}" } }
dissect { mapping => { "message" => "%{}\%{}\%{}\%{dir3}\%{}\%{}" } }
grok {
#match => { "message" => "%{WORD:gdisk}\:\\%{DATA:gdir1}\\%{DATA:gdir2}\\%{DATA:gdir3}\\%{DATA:_gdir4}\\%{GREEDYDATA:gdir5}" }
match => { "message" => "%{WORD}\:\\%{DATA}\\%{DATA}\\%{DATA:gdir3}\\%{DATA}\\%{GREEDYDATA}" }
}
mutate { copy => { "message" => "[@metadata][path]"} }
mutate { gsub => [ "[@metadata][path]", "[\\]", '/' ] }
mutate { split => { "[@metadata][path]" => "/" }
add_field => { "dirname" => "%{[@metadata][path][3]}"}
}
}
output {
stdout {codec => rubydebug }
}
Result:
{
"message" => "C:\\Users\\takuya\\Desktop\\_Summary presentation\\references",
"gdir3" => "Desktop",
"dir3" => "Desktop",
"dirname" => "Desktop"
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.