Hello.
I'm trying to replace the content of the host field with part from message field. My message field contains something like that:
message:<85>Jun 22 11:24:33 backup02.bla.domain.de sudo: .....
Now i wanna take "backup02.bla.domain.de" and put it in the "host" field. My filter currently is looking like this:
filter {
if [type] == "general" {
grok {
match => [ "message", "^(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9-][a-zA-Z0-9]).)([A-Za-z]|[A-Za-z][A-Za-z0-9-]*[A-Za-z0-9])$" ]
overwrite => [ "host" ]
}
}
}
But this does not seem t o have any effect. Can someone please point me to the right direction?
thanks and cheers
I think you're misunderstanding how grok filters work. The grok expression in match needs to include information about which fields that should be extracted, typically via the grok-specific %{PATTERN:destination-field}. The overwrite option only indicates which fields in the original event that are allowed to be overwritten from the filter.
It looks like you're trying to parse a syslog message. Have you looked at the example in the Logstash documentation that covers that?
Hello Magnus.
Thanks for taking the time to answer.
So you are saying i cannot take information from one field and add it to another overwriting the original content?
Is there a way of doing so?
cheers
So you are saying i cannot take information from one field and add it to another overwriting the original content?
Sure you can, it's just that you're using the wrong syntax. Please have a look at the grok filter examples in the documentation and make sure you understand what they do.