Hi, I am trying to add a field to every message of my alert log . The test has to be extracted from the file name and appended as a field to every log entry. To do that I am doing:- if [path] =~ /alert/ { grok { match => [ "path","%{WORD:logtype}_%{WORD:sid}.%{WORD.filetype}" ] …

Using Grok to add SID field to oracle database logmessages

magnusbaeck (Magnus Bäck) April 4, 2016, 11:30am 7

Hmm. Apparently the definition of WORD ("\b\w+\b") won't work here. You can e.g. use "\w+" instead:

grok {
  match => {
    "message" => ".*/(?<logtype>\w+)_(?<sid>\w+)\.(?<filetype>\w+)$"
  }
}

Topic		Replies	Views
Add field in logstash config Logstash	6	2293	July 6, 2017
Extract certain fields from Oracle listener log Logstash	9	4634	July 6, 2017
Create new field based on msg filed in logstash Logstash	11	8837	July 6, 2017
Extracting contents of the filename (from the source) and creating fields Logstash	7	5894	July 6, 2017
Grok and match windows path Logstash	4	2409	June 30, 2019