I am brand new to logstash so apologies in advance for what I'm sure will turn out to be "dumb" questions.
I have a very simple log file with some | separated data in it. Like this:
1550613490|MANAGER|1|Local/901@internalcalls|ADDMEMBER|
I am using dissect in the filters to split up and store this data and this is working well so far. Note: using if's since there are many different event types to parse that need to result in different field mapping per event.
if "ADDMEMBER" in [message] {
dissect {
mapping => {
"message" => "%{dtstamp}|%{callid}|%{qname}|%{bridgechan}|%{event}|"
}
}
}
date{
match => ["dtstamp", "UNIX"]
target => "dtstamp_datetime"
}
So far so good.
Now, bridgechan has the following in it:
Local/901@internalcalls
At this point I now want to parse out 901 in this example and put it in a new field called UserID. It is this that I cannot work out yet.
First question is, can you use another dissect on the bridgechan variable from within the filter part of the logstash.conf file? In short, can I parse something that I've already parsed out into a new field? Or perhaps I cannot do this and need to parse something from the original input (message).
I wonder because I tried to do something like the following at the end of the filter section and have not had any success.
dissect {
mapping => { %{bridgechan} => "%{firstpart}/%{secondpart"}
}
Any help for "the new guy" would be greatly appreciated.
