I have a working grok filter for a log file just like I want it. Currently the full email is currently parsed into a single field I call "user". I do not want to split this in the original grok unless I have to. I would like to strip the username portion of an email address before the @ and store it in a new field called "uid". I know that mutate has a split option, but it splits the content of the original field which I would prefer not to have happen. Initially tried:
As discovered, this one changes the original field which I do not want, and for some reason this does not add a field called "uid" for some reason. Could use some further advice. Thank you.
Thanks as usual Badger, seems the documentation on syntax has some typos.
As to your question why not use a second grok, I am not totally clear on what you mean. I don't know how to grok the fields of a message that have already been "groked" so to speak. That sounds like an ideal solution though. Currently the "user" field is parsed using the %EMAILADDRESS pattern and works well and I want to maintain that field, but for other reasons it would be nice to be able to search on just the username portion of that field.
Another point for Badger. Worked 100% as expected. Thank you again. Also exposed a serious misunderstanding on my part as to how I thought these filters worked.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.