diff --git a/dev-upgrade/elastic/logstash.yml b/dev-upgrade/elastic/logstash.yml
index 0d95239..7b8dca3 100644
--- a/dev-upgrade/elastic/logstash.yml
+++ b/dev-upgrade/elastic/logstash.yml
@@ -16,8 +16,9 @@ data:
           source => "message"
         }   
       }   
-      grok {
-        match => { "log.file.path" => "(?:/[^/]+){2}/(?<env>[^/]+)" }
+      mutate {
+        split => { "[log][file][path]" => "/" }
+        add_field => { "env" => "%{[log][file][path][2]}" }
       }
     }