[solved] Namespacing grok output

Sushimaster · May 3, 2018, 11:55am

Hi,

when using logstash for pushing apache logs into elasticsearch, very close to the example config in logstash docs:

filter {
    mutate {
        replace => { type => "apache_access" }
    }
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
    date {
      match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
    }
 useragent {
    source => "agent"
    target => "useragent"
}
}

Now, in elasticsearch the results are keys like "request", "host", "auth" etc.

How to namespacing the output, e.g. like the pipeline naming?
mypipelinename.request
mypipelinename.host
mypipelinename.auth
.... you got the idea.

It would be as more handy and useful as now, don't you think so? Couldn't find anythin in docs yet

magnusbaeck · May 3, 2018, 12:53pm

Two options:

Copy the definition of COMBINEDAPACHELOG and capture the fields into the desired hierarchy, i.e. change all occurences of %{SOMEPATTERN:somefield} to %{SOMEPATTERN:[mypipelinename][somefield]}.
Keep using the original grok pattern but move the fields with a mutate filter afterwards, although then you obviously need to maintain the list of all fields.

Sushimaster · May 7, 2018, 9:54pm

Thanks, %{SOMEPATTERN:[mypipelinename][somefield]} did the job!

system · June 4, 2018, 10:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.