Hello every body,
Apr 1 15:00:01 pc-tst cft: 21/04/20 00:00:00 CFTC12I IDTU=A0007GK PART=LKOR STATE=Y PHASE=Y PHASESTEP=C DIRECT=S TYPE=F SENTINEL_STATE=POST_PROC Deleted
Is there a method to rename the fields extracted via the kv plugin by adding a prefex (example ctf): SENTINEL_STATE by ctf.SENTINEL_STATE?
Best regards,
You could do the rename in a ruby filter. I am not sure what condition you will need. An example would be
ruby {
code => '
event.to_hash.each { |k, v|
if k.match?(/[A-Z_]+/)
event.set("ctf.#{k}", v)
event.remove(k)
end
}
'
}
That will avoid renaming fields like @timestamp. If you want the fields nested in the ctf object then change that to use
event.set("[ctf][#{k}]", v)
If the set of fields you need to rename is fixed then you might want to use
if [ "IDTU", "PART", "PHASE", ... ].include? k
instead of the regexp.
You can achieve with filter
kv {
source => "message"
field_split_pattern => " "
value_split => "="
prefix => "ctf"
}
}
make sure you are passing only part of string to kv filter
as:
IDTU=A0007GK PART=LKOR STATE=Y PHASE=Y PHASESTEP=C DIRECT=S TYPE=F SENTINEL_STATE=POST_PROC
Use dissect or grok parsing to separate the string for kv filter
Pls let us know if it works
Cheers!
Hello,
Thanks badger and ErSumit for your help, i tested the kv with the prefix and it worked
Best regards
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.