Best method of delimiter splitting

gborg · November 22, 2019, 4:38pm

Hello

I have had a few fields with deliniter seperated strings that I have expanded into their own fields
With grok

Is that the best method ?

Explanation:

You have a field: ":foo:bar:goat"

I want the first field, I can do a grok filter ":%{WORD:fieldIwant}"

But is there a better method ?

In a standard POSIX shell I would just do "awk -F ":" '{print $1}"

Just seems weird to me to use something I think of more like regex to simply delimeter data

So yeah, is the grok approach the right one or would it be better to use something like split and then addressing the field by position ?

I am processing over 10K messages per second so my primary concern is efficiency

elasticforme · November 22, 2019, 4:41pm

this is what I have done

For first field, and then remove everthing.
I do not know which is better grok or split.

mutate {
        split => ["s_it", ":"]
        add_field => { "size" => "%{[s_it][0]}" }
}
mutate { remove_field => [ "[s_it]" }

gborg · November 22, 2019, 6:30pm

Cool
i haven't seen this method before

system · December 20, 2019, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.