So I have been trying to figure out how to use grok on just one field from the input. Specifically, I'm using the beats input to get all my logs, and it automatically produces a bunch of fields for kibana. One of those fields is a string that contains the log that I want to break apart. Is there a way to use a grok filter on a specific field?
Yes, the basic syntax of a grok filter is
filter {
grok {
match => { "someField" => "<your pattern goes here>" }
}
}
You can do that against any field you want.
1 Like
I have unfortunately tried that. What if this field is nested? For example:
{ _source: { log: "" } }
To refer to a nested field, you specify the full path to that field: [top-level field][nested field].
But _source is an elasticsearch concept. It is not present in logstash.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.