Hello, I have the field Mat equal to:
Mat = "07/07/2017-03:09:39 0235918 LEFER GUILLAUME Tps"
and I did this but it doesn't work
mutate {
split => { "Mat" => " " }
remove_field => ["Mat[2]","Mat[2]","Mat[2]"]
}
mutate {
add_field => {"time" => "%{Mat[0]}"}
add_field => {"matricule" => "%{Mat[1]}"}
}
can you help me please !! how can I create a new field from a hash table
Thanks 
Solved by doing this
grok {
match => [ "Mat", "%{NOTSPACE:time} %{NOTSPACE:matricule} %{NOTSPACE:matri}"]
}
mutate {
remove_field => ["matri"]
remove_field => ["Mat"]
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.