I am trying to parse appache accesslogs with logstash for a project.
To let elasticsearch search efficiënt I want to reverse the domainname. So for example:
www.example.com Becomes com.example.www
I tried to split the domainname and reverse that using the logstash mutate plugin. When parsed as is I get a field
Using settings below I get the following results:
Setting:
mutate{
split => {"domainname" => "."}
add_field => {"reversed_domainname" => ["%{[domainname][-1]}","%{[domainname][-2]}"]}
join => {"reversed_domainname" => "."}
}
Result:
domainname = [ "www", "example", "com" ]
reversed_domainname =[ "com", "example" ]
Everything works as intended untill the join function as seen in the results i dont get com.example
If I remove reversed from the join (split the domainname on "." and join them with "." I get the same results.
www.example.com becomes www.example.com
How can I join the fields in reversed order as it clearly should work.
Super derpy but using an intermediate variable fixed the problem. Don't know if this is ment or it's a bug. I used plugins below to fix my problem.
mutate {
split => {"domainname" => "."}
}
ruby {
code => "
x = event['domainname']
event['reversed_domainname'] = x.reverse.join('.')
"
}
mutate{
join => {"domainname" => "."}
}