Skip to content

Commit

Permalink
re-added observer and log.source.hostname to host_split sans domain
Browse files Browse the repository at this point in the history
  • Loading branch information
Daryl Coburn committed Sep 30, 2024
1 parent 59cd978 commit 6250cd6
Showing 1 changed file with 2 additions and 18 deletions.
20 changes: 2 additions & 18 deletions config/enrichments/18_host_split.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,20 +93,12 @@ filter {
if [log][source][hostname] =~ "^.*?\..*?$" {
if [log][source][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
grok {
match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>\d+.\d+.\d+.\d+)\.(?<[log][source][domain]>.*?)$" }
match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>\d+.\d+.\d+.\d+)\..*?$" }
tag_on_failure => "_logsourcehostname_grok_failure"
}
mutate {
rename => { "[log][source][tmp]" => "[log][source][hostname]" }
}
} else if [log][source][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" {
grok {
match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>.*?)\.(?<[log][source][domain]>.*?)$" }
tag_on_failure => "_logsourcehostname_grok_failure_2"
}
mutate {
rename => { "[log][source][tmp]" => "[log][source][hostname]" }
}
}
}

Expand Down Expand Up @@ -135,20 +127,12 @@ filter {
if [observer][hostname] =~ "^.*?\..*?$" {
if [observer][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
grok {
match => { "[observer][hostname]" => "^(?<[observer][tmp]>\d+.\d+.\d+.\d+)\.(?<[observer][domain]>.*?)$" }
match => { "[observer][hostname]" => "^(?<[observer][tmp]>\d+.\d+.\d+.\d+)\..*?$" }
tag_on_failure => "_observerhostname_grok_failure"
}
mutate {
rename => { "[observer][tmp]" => "[observer][hostname]" }
}
} else if [observer][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" {
grok {
match => { "[observer][hostname]" => "^(?<[observer][tmp]>.*?)\.(?<[observer][domain]>.*?)$" }
tag_on_failure => "_observerhostname_grok_failure_2"
}
mutate {
rename => { "[observer][tmp]" => "[observer][hostname]" }
}
}
}
}
Expand Down

0 comments on commit 6250cd6

Please sign in to comment.