Combine strings from array into field

rsaeks · October 20, 2016, 3:02pm

Hi all,

I'm working with manipulating some data from a logstash filter and haven't had any luck in figuring out how to do one specific action. I'm parsing a string and am pulling all the needed data where in my field called action there is an array of strings "Delivering" and "via IPv4 Protocol". I'd like to combine those two into the single string "Delivering via IPv4 protocol" and store the result back into the field action.

I've tried the merge mutate action but that hasn't matched what I'm hoping to get. Is there another way to do this I might be missing? I'm matching:

"Delivering to SERVERNAME.DOMAIN via IPv4 protocol" with
%{WORD:action} %{WORD} &{IPORHOST:receivingServer} %{GREEDYDATA:action}

13koushik · October 20, 2016, 9:41pm

Hi,

Use add_field of mutate to merger values of an array. Say I have a field name which is an array that holds two values,

"Msg" => [
[0] "Delivering",
[1] "via IPV4"
]

Check this out,

mutate {
add_field => {
"New_Msg" => "%{Msg[0]} %{Msg[1]}" } }

magnusbaeck · October 21, 2016, 5:54am

A single add_field is sufficient, provided that you don't capture both "Delivering to" and "via IPv4 protocol" into the same field (and why would you want to do that?):

grok {
  match => {
    "message" => "%{WORD:action} %{WORD} %{IPORHOST:receivingServer} %{GREEDYDATA:action2}"
  }
}

mutate {
  add_field => {
    "new_field" => "%{action} %{action2}"
  }
}

Topic		Replies	Views
Using "merge" to append a string literal to an array field? Logstash	5	2945	April 5, 2019
Concatenate / join values of tags into one field Logstash	3	260	April 22, 2022
Mutate Add_field Logstash	2	1293	September 30, 2016
Add an array using Mutate's add_field Logstash	5	8888	October 29, 2019
Converting term array into individually name fields Logstash	3	678	July 6, 2017

Combine strings from array into field

Related topics