[solved] Namespacing grok output


#1

Hi,

when using logstash for pushing apache logs into elasticsearch, very close to the example config in logstash docs:

filter {
    mutate {
        replace => { type => "apache_access" }
    }
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
    date {
      match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
    }
 useragent {
    source => "agent"
    target => "useragent"
}
}

Now, in elasticsearch the results are keys like "request", "host", "auth" etc.

How to namespacing the output, e.g. like the pipeline naming?
mypipelinename.request
mypipelinename.host
mypipelinename.auth
.... you got the idea.

It would be as more handy and useful as now, don't you think so? Couldn't find anythin in docs yet :frowning:


(Magnus B├Ąck) #2

Two options:

  • Copy the definition of COMBINEDAPACHELOG and capture the fields into the desired hierarchy, i.e. change all occurences of %{SOMEPATTERN:somefield} to %{SOMEPATTERN:[mypipelinename][somefield]}.
  • Keep using the original grok pattern but move the fields with a mutate filter afterwards, although then you obviously need to maintain the list of all fields.

#3

Thanks, %{SOMEPATTERN:[mypipelinename][somefield]} did the job!


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.