Hey,
I have just recently started using logstash and am still getting my head around it.
Is it possible to run a grok filter to match a pattern then split it into two fields or get other values out of it?
For example I have been testing my patterns on: https://grokdebug.herokuapp.com/
If i use the debugger to match say http://www.google.com to %{URI:test}
Is it possible to also get the HOSTNAME out of URI?
URI > URIHOST > HOSTNAME
URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
On the debugger I get the output.
{
"test": [
[
"http://google.com"
]
],
"URIPROTO": [
[
"http"
]
],
"USER": [
[
null
]
],
"USERNAME": [
[
null
]
],
"URIHOST": [
[
"google.com"
]
],
"IPORHOST": [
[
"google.com"
]
],
"HOSTNAME": [
[
"google.com"
]
],
"IP": [
[
null
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
null
]
],
"port": [
[
null
]
],
"URIPATHPARAM": [
[
null
]
],
"URIPATH": [
[
null
]
],
"URIPARAM": [
[
null
]
]
}
I'm interested in my field "test" but also would like the field HOSTNAME out of it. Obviously the value is there but I'm not sure how to get it as a field into elasticsearch.