Hi there,
We are using %{env} as a way to set what Elasticsearch indices Logstash should post to. We combine this with the application type %{component} to make a namespace
The problem is that some of our log sources set 'env' to the full word 'production/staging/testing', others to just 'prod/stag/test'. How do I set a field to just the first 4 characters of a variable, to maintain some consistency?
if [env] and [component] and ![namespace] {
mutate {
add_field => { 'namespace' => "%{env}-%{component}" }
}
}
So I'd like to alter the above to use just the first four characters of 'env'. Is there a way to do this inline? Or will I need to make a new variable and use that? My search-fu hasn't been successful (hard to find good terms).
Thanks,
Paul