So, I have a hostname that is being set by filebeat (and I've written a regex that should grab it), but the following isn't adding fields the way that I think it should..
grok{
patterns_dir => "/config/patterns"
match =>{ "beat.hostname" => ["%{INSTALLATION}-%{DOMAIN}-%{SERVICE}"] }
add_field => { "[installation]" => "%{INSTALLATION}"}
add_field => { "[domain]" => "%{DOMAIN}"}
add_field => { "[service]" => "%{SERVICE}"}
}
I can't seem to access beat.hostname, hostname, host or anything like that to add the fields that I want. At present the hostname is: BOS-LAP-MYNAME1
Which should be matched by:
INSTALLATION [^-]{1,3}
DOMAIN (BOS|LAP)
SERVICE (MYNAME1|TEST|12345)
Also note: I've tried the "host" "hostname" and other field names like that to no avail as well, despite those fields being available in Kibana.
Since hostname is nested under beat you need to match against [beat][hostname] rather than beat.hostname. And to add those fields to the document use the form of %{PATTERN:fieldname} in the match parameter.
filter {
grok {
patterns_dir => ["/config/patterns"]
match => {
"[beat][hostname]" => "%{INSTALLATION:installation}-%{DOMAIN:domain}-%{SERVICE:service}"
}
}
}