Is it possible?
I need to create delimiter like this: <9> or <13>
codec => line { delimiter => "<\d+>" }
It relate to this limiter as is, and expect to receive "<\d+>" string...
Sorry, not possible. The delimiter is used as a String literal.
Thank you.
Is there another way to get it?
I tried to look at the multiline codec, it uses regex- but also seem not suitable because the way it cut the rows..
Not with codecs.
You should be able to do it with mutate gsub and then mutate split and then split.
input {
generator { count => 1 message => "stop<9>wait for it<13>go go go - man" }
}
filter {
# we can do this in one mutate filter block
# because the gsub is done before the split in the code.
mutate {
gsub => ["[message]", "<\d+>", "^|^"]
split => { "[message]" => "^|^" } # creates an array of strings in the [message] field]
}
split { field => "[message]" }
}
output { stdout { codec => rubydebug } }
Results
{
"@version" => "1",
"message" => "stop",
"host" => "Elastics-MacBook-Pro.local",
"sequence" => 0,
"@timestamp" => 2018-01-15T09:47:39.736Z
}
{
"@version" => "1",
"message" => "wait for it",
"host" => "Elastics-MacBook-Pro.local",
"sequence" => 0,
"@timestamp" => 2018-01-15T09:47:39.736Z
}
{
"@version" => "1",
"message" => "go go go - man",
"host" => "Elastics-MacBook-Pro.local",
"sequence" => 0,
"@timestamp" => 2018-01-15T09:47:39.736Z
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.