Hi,
I'm trying to map a nested field from a custom grok expression.
So, instead of using:
(?=.*?Message Type: (?<test1>[^;]+))?
I would like to map test1 to [event][name].
Tried things like:
(?=.*?Message Type: (?<[event][name]>[^;]+))?
(?=.*?Message Type: (?<event.name>[^;]+))?
(?=.*?Message Type: (?<{[event][name]}>[^;]+))?
...
Is that even possible? I know I could rename them later but that's not the idea...
Thanks!
This seems related to a support library issue. Can't be fixed at least 3y ago. An option would be to define custom patterns.
See Parse regex to a nested field · Issue #66 · logstash-plugins/logstash-filter-grok · GitHub.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.