Hey,
I have message:
"message": "[Fri Jul 24 23:34:09 2015] [error] [client 217.118.78.107] device-model=Fly+IQ4415+Quad&ram=456&build-type=etc1", All I want is to parse 3 fields:
"device_model": "Fly IQ4415 Quad"
"ram": "456"
"build_type": "etc1"
THX for helping me!!!
You can use grok to extract "device-model=Fly+IQ4415+Quad&ram=456&build-type=etc1" into a field and then use the kv filter to extract the three fields you're interested in. Finally, use the urldecode filter to turn "Fly+IQ4415+Quad" into "Fly IQ4415 Quad".
can you help me with urldecoder filter to turn "Fly+IQ4415+Quad" into "Fly IQ4415 Quad". I can't get it!
Hmm. It seems Ruby's URI module doesn't decode plus signs to spaces. My RFC-fu isn't strong enough to explain why this is the correct behavior (if indeed it is). I suggest you use a mutate filter to replace plus signs with spaces and use urldecode for other encoded characters that potentially could occur in the string.
mutate {
gsub => ["device-model", "\+", " "]
}© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.