Trouble dissecting characters from a word in a string

elasticperson · September 22, 2021, 6:15pm

Example strings:
thing: xabc123def.testing
thing: xghi456jkl.testing

Given:

String will always begin with x
there will be 3 alpha characters
there will be 3 numeric characters
it may or may not have additional characters after.

I need to extra the first 3 alpha characters (after x) into a new field using a metric/filebeat processor (dissect)

Obviously this will not work:

dissect:
tokenizer: "x%{item1}%{?first number}
field: "extractedfield"

I couldn't find any info on dissect/tokenizer relating to individual characters or wildcards. For example, if I could say make item1 3 characters long, the rest would be easy. Or if I could use a wild card for any number, I could use that as the delimiter.

e997cd7e8d9915436150 · September 23, 2021, 4:25am

Grok is the best way when no separator like example.
But filebeat has no grok processor unfortunately.
Given strings, i think script processor is best way.

  - script:
      lang: javascript
      source: >
        function process(event) {
          var str1 = event.Get("extractedfield");
          var str2 = str1.substr(1,3);
          event.Put("item1", str2);
        }

elasticperson · September 23, 2021, 3:38pm

Wow thank you. I was aware that I couldn't do grok in processors but I was unaware of the script processor.

warkolm · September 29, 2021, 1:06am

The alternative here would be to use an ingest pipeline in Elasticsearch, which has grok.

system · October 27, 2021, 3:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.