diff --git a/dev-upgrade/elastic/logstash.yml b/dev-upgrade/elastic/logstash.yml
index fe3d36f..0d95239 100644
--- a/dev-upgrade/elastic/logstash.yml
+++ b/dev-upgrade/elastic/logstash.yml
@@ -16,9 +16,8 @@ data:
           source => "message"
         }   
       }   
-      mutate {
-        split => { "log.file.path" => "/" }
-        add_field => { "env" => "%{[log.file.path][2]}" }
+      grok {
+        match => { "log.file.path" => "(?:/[^/]+){2}/(?<env>[^/]+)" }
       }
     }