How do I get the filename from the source value supplied by filebeat in logstash?

Question

I want to get the filename from the source value provided by filebeat.

output {
  if [type] == "wxnumber" {
    elasticsearch {
        hosts => "localhost:9200"
        sniffing => false
        manage_template => false
        index => "%{[source]}"
        document_type => "%{[@metadata][type]}"
    }
  }
}

The %{[source]} is usually like /aaa/bbb/ccc.log. How do I set the index to the ccc.log?

@ Kulasangar , Thank for you reply. The result of %{[source]} is like /aaa/bbb/ccc.log. I just want get the ccc.log for this variable. — microchao, Dec 08 '16 at 06:38
Thanks a lot. But I don't know the filename. Maybe it will be ddd.log, eee.log, fff.log and so on. — microchao, Dec 08 '16 at 07:06
What if you use a regex in order to trim the path and get only certain value as mentioned [here](http://stackoverflow.com/questions/30241515/trim-field-value-or-remove-part-of-the-value) — Kulasangar, Dec 08 '16 at 08:42
Thank you Kulasangar, I have solved my issue, Then I use gsub, it can convert all slashes to any wanted. — microchao, Dec 14 '16 at 03:17

score 0 · Accepted Answer · edited May 23 '17 at 12:30

0

Maybe you could use the mutate in order to replace it with how your log file should be named:

if [%{[source]}] =~ /aaa/bbb/ccc.log {
  mutate {
     replace => ["%{[source]}]", "ccc.log"]
  }
}

This SO might be helpful!

edited May 23 '17 at 12:30

Community

1
1

answered Dec 07 '16 at 11:17

Kulasangar

9,046
5
51
82

How do I get the filename from the source value supplied by filebeat in logstash?

1 Answers1