hello @gvdm90, Currently, it's not possible to dynamically extract that information from an event and reuse it as a field with Filebeat, but we plan to add something in beats that will work like the dissect filter in Logstash.
But you can solve your problem by either one of the following options:
-
Use the ingest node feature to do the processing, you can extract the
app_namepart using agrok processorand do more filtering after. -
Use Logstash with the beats inputs and the grok filter and send your events to Logstash instead of sending it directly to Elasticsearch.
What kind of filtering are you doing?