Write log category to field

Hello,

if i have logs like this:

2024-01-29 15:09:43,102 - ERROR - DB:Test1 - Test Error
2024-01-29 15:09:48,653 - ERROR - DB:Test2 - Test Error
2024-01-29 15:09:49,041 - ERROR - DB:Test1 - Test Error
2024-01-29 15:09:49,308 - ERROR - DB:Test1 - Test Error
2024-01-29 15:09:43,102 - ERROR - DB:Test2 - Test Error

And i read those logs with the filebeat filestream input, is it possible to write a custom field fields:DB for each document containing the db name?

The documentation only shows how to write a static string into the config like this:

filebeat.inputs:
- type: filestream
  fields:
    appName: "app1"

So can i do something like

filebeat.inputs:
- type: filestream
  fields:
    DB: ..processor or something..

that writes me the DB name, in this case Test1 or Test2 to this field for each log?

If yes, what's the best way and how to do it?

Best regards

Hi,

The dissect processor would be a good fit for this task.

Here's an example of how you could configure it:

filebeat.inputs:
- type: filestream
  processors:
    - dissect:
        tokenizer: '%{} - ERROR - DB:%{[fields.DB]} - %{}'
        field: "message"
        target_prefix: ""

Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.