Combine strings from array into field

rsaeks · October 20, 2016, 3:02pm

Hi all,

I'm working with manipulating some data from a logstash filter and haven't had any luck in figuring out how to do one specific action. I'm parsing a string and am pulling all the needed data where in my field called action there is an array of strings "Delivering" and "via IPv4 Protocol". I'd like to combine those two into the single string "Delivering via IPv4 protocol" and store the result back into the field action.

I've tried the merge mutate action but that hasn't matched what I'm hoping to get. Is there another way to do this I might be missing? I'm matching:

"Delivering to SERVERNAME.DOMAIN via IPv4 protocol" with
%{WORD:action} %{WORD} &{IPORHOST:receivingServer} %{GREEDYDATA:action}

13koushik · October 20, 2016, 9:41pm

Hi,

Use add_field of mutate to merger values of an array. Say I have a field name which is an array that holds two values,

"Msg" => [
[0] "Delivering",
[1] "via IPV4"
]

Check this out,

mutate {
add_field => {
"New_Msg" => "%{Msg[0]} %{Msg[1]}" } }

magnusbaeck · October 21, 2016, 5:54am

A single add_field is sufficient, provided that you don't capture both "Delivering to" and "via IPv4 protocol" into the same field (and why would you want to do that?):

grok {
  match => {
    "message" => "%{WORD:action} %{WORD} %{IPORHOST:receivingServer} %{GREEDYDATA:action2}"
  }
}

mutate {
  add_field => {
    "new_field" => "%{action} %{action2}"
  }
}