Hi
extracting part of the path from source
I found this
And it seems to say what I want to do, but I am not sure how to implement
I have filebeat setup to send to a logstash input
I'm using grok, i've got
grok {
match => [ "message" , "%{TIMESTAMP_ISO8601:timestamp} (?[.*]) %{LOGLEVEL:loglevel} %{GREEDYDATA:message}"]
}
all my source files names should be like
/path1/path2/path3/path4/
I am interested in getting path4 into a file name
this is what i saw from the message
grok { match => [ "message", "^/[^/]+/[^/]+/[^/]+/(?[^/]+)" ] }
grok { match => [ "message", "/(?[^/]+)/[^/]+/[^/]+$" ] }
what do i need to add to my code to extract path4. even to add to that lets say all the paths are like
/var/log/abc/<path i'm interested in>/
so I'm guessing
grok { match => [ "message", "^/var/log+/(?[^/]+)" ] }
does this mean I get a variable called dir1 which has the info I am after ?
also
match => [ "message" , "%{TIMESTAMP_ISO8601:timestamp} (?<thread>\[.*\]) %{LOGLEVEL:loglevel} %{GREEDYDATA:message}"]
the last bit adds the "rest" of the message as message[1]. doesn't save it in message[0]
how can i get {GREEDYDATA:message} to replace the message variable ?
thanks
edit
I'm thinking
grok { match => [ "message", "^/var/log+/(?[^/]+)" ] } should be
grok { match => [ "source", "^/var/log+/(?[^/]+)" ] }