Can we use clone filter within ruby code block?

Saket_Kumar · June 11, 2015, 6:50am

can we use clone filter within ruby code block?

magnusbaeck · June 11, 2015, 6:55am

I don't think you can call filters from within other filters. If you explain what you're trying to accomplish maybe someone can suggest something that you can do.

Saket_Kumar · June 11, 2015, 7:05am

I parsed xml
input {
file {
path => "/opt/Log/new80.xml"
start_position => "beginning"
}
}

filter {
if [message] =~ "^<?xml .*" {
drop {}
}
multiline {
pattern => "^</response>"
negate => true
what => "next"
}

xml {
source => "message"
target => "videoFrames"

xpath => [
#"response/data/latency","latency",

"/response/data/run/firstView/videoFrames/frame[*]/time/text()","Time_FV",
   	"/response/data/run/firstView/videoFrames/frame[*]/image/text()","Image_FV",
"/response/data/run/firstView/videoFrames/frame[*]/VisuallyComplete/text()","Progess_FV",

Getting output for "Time_FV": [0,800,1600,1800,2100,2400,3000,3300,3500,3600,3700]

I want to split this array into multiple event and output to elasticsearch. Hence thought of cloning for each item in array.

magnusbaeck · June 11, 2015, 7:19am

If the split filter isn't usable for this I think it should be. Worst case, could you use a ruby filter to turn the Time_FV field into a string that you then feed to the split filter?

Saket_Kumar · June 11, 2015, 8:14am

do i need to clone event?
How split works?
i will try as suggested above.

Saket_Kumar · June 11, 2015, 8:26am

If i use
split { field => "Time_FV" }
what output expected.

Saket_Kumar · June 11, 2015, 8:31am

this worked great help.

Can I apply split { on multiple fields}?

magnusbaeck · June 11, 2015, 10:22am

Can I apply split { on multiple fields}?

With multiple split filters, sure.

Saket_Kumar · June 11, 2015, 10:23am

tried but didn't get success.