Rafael Augusto
Reputation: 797
Create a field by message logstash
I have a very simple message coming in my logstash, I want to create two fields that are inside this message.
if [message] =~ /.*My process: (?<myfield1>[A-Z]+) - (?<myfield2>[A-Z]+).*/ {
mutate {
add_field => [ "event_type", "eventType" ]
add_tag => ["myTag"]
add_tag => ["MySecondTag"] } }
How can I create a field with the values field1 and field2?
Upvotes: 0
Views: 125
Answers (1)
Marc-Antoine Jutras
Reputation: 164
You should consider changing your mutate filter to a grok filter
grok {
id => "Parse_MyFields"
match => { "message" => [ "/.*My process: %{WORD:myfield1} - %{WORD:myfield2}.*/" ] }
}
This will set the 2 words your trying to extract into the "myfield1" field and "myfield2" field.
Be sure to validate your grok filter with a tool like Grok Constructor or Grok debugger
You can even use add_field with this plugin.
Upvotes: 1
Related Questions
- New field in ELK stack - logstash
- How to create field using Logstash and grok plugin
- Adding fields depending on event message in Logstash not working
- Logstash Add field from grok filter
- Logstash - Add fields from the log - Grok
- Logstash extracting and customizing field with grok and ruby
- Logstash define field within a field
- Logstash / GROK: Creating a custom Variable when parsing a log file
- Store Logstash Grok decomposition in a field
- Logstash - grok use a field other than message