Solved: removing domain name from hostname (host.name) with Logstash mutate split and replace filter

I ran into an issue in Kibana where the logs for a server were not showing up after I clicked on a server in the Metrics -> Inventory -> Host logs. There were however logs in the Winlogbeat index that were specific to each server and within the timeframe that "Host logs" were pulling up. It seems like the filter in Host logs link was looking for just the host.name, ie abc1234, but the host.name of the servers was actually populating in our documents as, abc1234.xyz.ny.gov. I came across this thread, How to parse a hostname, and this was the solution, I just had to alter some of the pieces to fit this specific case. Hopefully, someone else finds this useful and it saves them some time.

Overall the host.name field that was populating in our documents as abc1234.xyz.ny.gov was changed to abc1234 which allowed the Host logs link in the Metrics -> Inventory UI to populate correctly.

filter {
  mutate {
    split => ["[host][name]", "."]
  }

  mutate {
    replace => ["[host][name]", "%{[host][name][0]}"]
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.