I've been tasked with managing our ELK stack and writing rules for elastalert, but need a specific part of one field I already have as its own field in order to use elastalert's query_key functionality on that field. We're using these rules here:
https://github.com/hpcugent/logstash-patterns/blob/master/files/grok-patterns
/path_field_1/UID/path_field_2/path_params
Where UID is a 32 character unique identifier of 0-9,a-z,A-Z. I can access the whole URI in Kibana, but I eventually need UID to be its own field so that I can use elastalert's query_key over it. The lines containing this UID are always preceded by "/path_to_field_1/".
As a total novice, I'm not sure what might be some (good?) ways to achieve this - and the documentation (which I've been pouring over for a week) is pretty arcane.
You were on the right track looking at grok, if the preceding bit is always the same, you could use grok to grab the UID
grok {
match => {
"uri_field" => "/path_to_field_1/%{DATA:UID}/%{GREEDYDATA}"
}
}