Logstash: how to add file name as a field?

Question

I'm using Logstash + Elasticsearch + Kibana to have an overview of my Tomcat log files.

For each log entry I need to know the name of the file from which it came. I'd like to add it as a field. Is there a way to do it? I've googled a little and I've only found this SO question, but the answer is no longer up-to-date.

So far the only solution I see is to specify separate configuration for each possible file name with different "add_field" like so:

input {   file {      type => "catalinalog"      path => [ "/path/to/my/files/catalina**" ]      add_field => { "server" => "prod1" }   } } 

But then I need to reconfigure logstash each time there is a new possible file name. Any better ideas?

Answer 1

Hi I added a grok filter to do just this. I only wanted to have the filename not the path, but you can change this to your needs.

filter {   grok {     match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]   } } 

Answer 2

In case you would like to combine the message and file name in one event:

filter { grok {     match => {          message => "ERROR (?<function>[\S]*)"         } } grok {     match => {          path => "%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"         } }}   

The result in ElasticSearch (focus on 'filename' and 'function' fields):

"_index": "logstash-2016.08.03",     "_type": "logs",     "_id": "AVZRyEI49-A6kyBCq6Yt",     "_score": 1,     "_source": {       "message": "27/07/16 12:16:18,321 ERROR blaaaaaaaaa.internal.com",       "@version": "1",       "@timestamp": "2016-08-03T19:01:33.083Z",       "path": "/home/admin/mylog.log",       "host": "my-virtual-machine",       "function": "blaaaaaaaaa.internal.com",       "filename": "mylog"     }