Split filepath to a new field

nestro · November 23, 2022, 12:42pm

Hi! I use Filebeat on a central Syslog server which collects logs from all network devices. Filebeat is configured to collect the logs (which are arrenged by days in the month) from this server and sends them to Logstash.

The log.file.path fileld's value is the following: /var/log/remote/device name/.

I would like to split the device name from the log.file.path field and make a new field for this which will be the device name field. And later visualize in Kibana.

I didn't found anything similar to this so far. Thank you for in advance!

Rios · November 23, 2022, 2:21pm

Is this you looking for?

    mutate { add_field => { "devicename" => "%{[log][file][path]}" } }
    mutate{ gsub => ["devicename", '/var/log/remote/', "" ] }
    mutate{ gsub => ["devicename", '[/]', "" ] }

Also is possible by grok

Rios · November 23, 2022, 2:51pm

Another option is split and take whatever is on the 4th position.

    mutate { copy => { "[log][file][path]" => "[@metadata][path]"}}
    mutate {  split  => { "[@metadata][path]" => "/" }      }
    mutate { add_field => { "devicename" => "%{[@metadata][path][4]}"}}

system · December 21, 2022, 2:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.