Dani
March 24, 2016, 8:32pm
1
I'm trying to mutate my string into an array and then put each term into a separate field.
at the end of my grok, I have this pattern (?<info>([^:])*)
I've got the following mutate
split => ["info", "::"]
add_field => {"info_1" => "%{info[0]}"}
add_field => {"info_2" => "%{info[1]}"}
add_field => {"info_3" => "%{info[2]}"}
add_field => {"info_4" => "%{info[3]}"}
add_field => {"info_5" => "%{info[4]}"}
add_field => {"info_6" => "%{info[5]}"}
add_field => {"info_7" => "%{info[6]}"}
add_field => {"info_8" => "%{info[7]}"}
but the problem I have is that if the term at a set index does not exist, the data ends up being the pattern as a string
"info_5" => "%{info[4]}",
"info_6" => "%{info[5]}",
"info_7" => "%{info[6]}",
"info_8" => "%{info[7]}"
how do I get rid of these fields when there is no data?
Dani
March 24, 2016, 9:33pm
2
Figured it out...
filter {
if [info_1] =~ /%\{info\[0\]\}/ {mutate {remove_field => [ "info_1" ]}}
if [info_2] =~ /%\{info\[1\]\}/ {mutate {remove_field => [ "info_2" ]}}
if [info_3] =~ /%\{info\[2\]\}/ {mutate {remove_field => [ "info_3" ]}}
if [info_4] =~ /%\{info\[3\]\}/ {mutate {remove_field => [ "info_4" ]}}
if [info_5] =~ /%\{info\[4\]\}/ {mutate {remove_field => [ "info_5" ]}}
if [info_6] =~ /%\{info\[5\]\}/ {mutate {remove_field => [ "info_6" ]}}
if [info_7] =~ /%\{info\[6\]\}/ {mutate {remove_field => [ "info_7" ]}}
if [info_8] =~ /%\{info\[7\]\}/ {mutate {remove_field => [ "info_8" ]}}
}
You can also use the prune filter to delete all fields with unexpanded field references. Alternatively, use a ruby filter to do the splitting and assign correct field names from the start.