Split filepath to a new field

nestro · November 23, 2022, 12:42pm

Hi! I use Filebeat on a central Syslog server which collects logs from all network devices. Filebeat is configured to collect the logs (which are arrenged by days in the month) from this server and sends them to Logstash.

The log.file.path fileld's value is the following: /var/log/remote/device name/.

I would like to split the device name from the log.file.path field and make a new field for this which will be the device name field. And later visualize in Kibana.

I didn't found anything similar to this so far. Thank you for in advance!

Rios · November 23, 2022, 2:21pm

Is this you looking for?

    mutate { add_field => { "devicename" => "%{[log][file][path]}" } }
    mutate{ gsub => ["devicename", '/var/log/remote/', "" ] }
    mutate{ gsub => ["devicename", '[/]', "" ] }

Also is possible by grok

Rios · November 23, 2022, 2:51pm

Another option is split and take whatever is on the 4th position.

    mutate { copy => { "[log][file][path]" => "[@metadata][path]"}}
    mutate {  split  => { "[@metadata][path]" => "/" }      }
    mutate { add_field => { "devicename" => "%{[@metadata][path][4]}"}}

system · December 21, 2022, 2:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract folder name as field in logstash Beats filebeat	8	790	June 16, 2022
Can we extract folder and file out of log.file.path field? Kibana	5	2785	March 3, 2020
Extract file name and add as a field Logstash	3	2426	September 18, 2021
Filebeat field depending on Path Beats filebeat	4	478	February 19, 2018
Filebeat and parsing Beats	3	648	July 12, 2017

Split filepath to a new field

Related Topics