I am trying to adjust path name so that it no longer has the time stamp attached to the end. I am input many different logs so it would be impractical to write a conditional filter for every possible log. If possible I would just like to trim the last nine characters of the value.
For example "random.log-20140827" would become "random.log".
So if you know it's always going to be random.log-something --
if [path] =~ /random.log/ {
mutate {
replace => ["path", "random.log"]
}
}
If you want to "fix" anything that has a date in it:
if [path] =~ /-\d\d\d\d\d\d\d\d/ {
grok {
match => [ "path", "^(?<pathPrefix>[^-]+)-" ]
}
mutate {
replace => ["path", "%{pathPrefix}"]
remove_field => "pathPrefix"
}
}
Of the two, the first is going to be less compute intensive.
I haven't tested either of these, but they should work.