Logstash: how to add file name as a field?

Question

I'm using Logstash + Elasticsearch + Kibana to have an overview of my Tomcat log files.

For each log entry I need to know the name of the file from which it came. I'd like to add it as a field. Is there a way to do it? I've googled a little and I've only found this SO question, but the answer is no longer up-to-date.

So far the only solution I see is to specify separate configuration for each possible file name with different "add_field" like so:

input {
  file {
     type => "catalinalog"
     path => [ "/path/to/my/files/catalina**" ]
     add_field => { "server" => "prod1" }
  }
}

But then I need to reconfigure logstash each time there is a new possible file name. Any better ideas?

Answer 1

Hi I added a grok filter to do just this. I only wanted to have the filename not the path, but you can change this to your needs.

filter {
  grok {
    match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]
  }
}

Answer 2

In case you would like to combine the message and file name in one event:

filter {
grok {
    match => { 
        message => "ERROR (?<function>[\S]*)"
        }
}
grok {
    match => { 
        path => "%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"
        }
}}  

The result in ElasticSearch (focus on 'filename' and 'function' fields):

"_index": "logstash-2016.08.03",
    "_type": "logs",
    "_id": "AVZRyEI49-A6kyBCq6Yt",
    "_score": 1,
    "_source": {
      "message": "27/07/16 12:16:18,321 ERROR blaaaaaaaaa.internal.com",
      "@version": "1",
      "@timestamp": "2016-08-03T19:01:33.083Z",
      "path": "/home/admin/mylog.log",
      "host": "my-virtual-machine",
      "function": "blaaaaaaaaa.internal.com",
      "filename": "mylog"
    }