can we use clone filter within ruby code block?
I don't think you can call filters from within other filters. If you explain what you're trying to accomplish maybe someone can suggest something that you can do.
I parsed xml
input {
file {
path => "/opt/Log/new80.xml"
start_position => "beginning"
}
}
filter {
if [message] =~ "^<?xml .*" {
drop {}
}
multiline {
pattern => "^</response>"
negate => true
what => "next"
}
xml {
source => "message"
target => "videoFrames"
xpath => [
#"response/data/latency","latency",
"/response/data/run/firstView/videoFrames/frame[*]/time/text()","Time_FV",
"/response/data/run/firstView/videoFrames/frame[*]/image/text()","Image_FV",
"/response/data/run/firstView/videoFrames/frame[*]/VisuallyComplete/text()","Progess_FV",
Getting output for "Time_FV": [0,800,1600,1800,2100,2400,3000,3300,3500,3600,3700]
I want to split this array into multiple event and output to elasticsearch. Hence thought of cloning for each item in array.
If the split filter isn't usable for this I think it should be. Worst case, could you use a ruby filter to turn the Time_FV field into a string that you then feed to the split filter?
do i need to clone event?
How split works?
i will try as suggested above.
If i use
split { field => "Time_FV" }
what output expected.
this worked great help.
Can I apply split { on multiple fields}?
Can I apply split { on multiple fields}?
With multiple split filters, sure.
tried but didn't get success.