I define fields in filebeat.yml as below:
...
-
paths:
- /var/log/*-*/a-b-c.log*
document_type: ...
enabled: true
fields:
serviceNam: a-b-c
-
paths:
- /var/log/*-*/d-e-f.log*
document_type: ...
enabled: true
fields
serviceName: d-e-f
I want to use fields.serviceName in grok match pattern, e.g. when input is
... 123-bar-baz-a-b-c ...
... 456-foo-d-e-f ...
I want to match "123-bar-baz" and "456-foo" to a field. Both parts (e.g. 456-foo and d-e-f) can contain an arbitrary number of dashes, or any other characters but no spaces, and I always know (pass in via fielebeat.yml fields) the second half of the string (i.e. a-b-c and d-e-f in this example). The first part of the string (which I want to match) may or may not start with a number.
How can reference "fields.serviceName" in a grok match pattern? I tried a number of ways to no avail so far. E.g.
...\[(?<serviceLongName>(?<buildName>(%{NUMBER:buildNumber}-)?(%{DATA})?)-%{[fields][serviceName]}),...
Instead of %{[fields][serviceName]} I also tried %{fields.serviceName}, %{serviceName} I also tried to mutate { add_field => {} } before grok match then reference the added field but nothing worked the way I need. Please advise.