Breaking down a field

alexsamad · December 9, 2018, 1:22am

Hi

so i have a
grok {
match => [ "message", " +"(?<http_ybid>[^"]*)" *%{GREEDYDATA:msg}"]
}

now this field could be
"-"
or
"1234.999"

I would like to end up with if possible
http_ybid to equal "-" or "1234.999"

and
http_ybid.trans to equal "-" or "1234"
http_ybid.req to equal "-" or "999"

How can i do that ?

I'm guessing I can

if [http_ybid] = "-"
http_ybid.trans = "-"
http_ybid.req = "-"
else
http_ybid.trans = match up to "."
http_ybid.req = match after "."
fi

but how do I do that ?

A

bigphil · December 9, 2018, 4:43am

Should be fairly easy using the mutate filter. First...is having a - a requirement for the fields? If not, I'd suggest using the mutate gsub option and convert the - to a 0 if that is what the value is when the doc arrives to Logstash. That way the mapping data type for the field could be an integer vs a string which is typically preferred but not always. Second, I'd use the mutate split option to split the field if it is found not to be a - (or 0). Then you'd have an array object and you could then create new fields based on those values, i.e.
If [http_ybid] != "0" {
mutate {
add_field => {
"[http_ybid][trans]" => "%{http_ybid[0]}"
"[http_ybid][req]" => "%{http_ybid[1]"}
}
}
}

alexsamad · December 9, 2018, 10:56pm

Cool, that looks easy

A

alexsamad · December 10, 2018, 1:14am

Did it slightly different
mutate {
gsub => [ "http_ybid", "-", "0" ]
}

if [http_ybid] != "0" {
      grok {
        match => [ "http_ybid", "(?<ybid.sess>[^.]*)\.(?<ybid.trans>.*)" ]
      }
}

no real reliance on on -. so the move to 0 works. guess I could just test for -

system · January 7, 2019, 1:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.