kavierkoo
February 9, 2021, 4:43pm
2
There are plenty of solutions in the community posts.
With Split
Magnus,
Your recommendation worked, thanks for your prompt response.
The following replaces my hostname from esx1.acme.com to esx1.
mutate {
split => ["syslog_hostname", "."]
}
mutate {
replace => ["syslog_hostname", "%{[syslog_hostname][0]}"]
}
Thanks
With Grok
Hello,
Thanks for reaching out. Just to clarify, are you using a logstash pipeline? If so would a grok pattern like the following work to break up the host name and domain name?
%{DATA:host}\.%{GREEDYDATA:domain}
Thanks.
Another Grok sample
Untested:
filter {
grok {
match => ["URL", "\.(?<Domain>[^.]+\.[^.]+)$"]
}
}
Splitting the string on each period, grabbing the two last elements, and joining them back together should be a lot more efficient though.