Hello,
I have an input field that contains values. For further processing I need to divide this field with a separator (";") and then work with it. In my case, this is the text of the script in which I search for constants.
The point is that based on the split values, I look up other values from the script and the field may or may not be found. For example:
input: where order = 1; where order like '2' (I gave a simple example, but in fact the whole SQL scripts are input):
where order = '1'
where order like '2'
and I'm working on it to find out with the help of ruby
constant => 1,2
=constant => 1
My expected output would be:
script_name => "script2"
folder_name => "BRD"
statement:
{
[
constant => 1
= constant => 1
],
[
constant => 2
]
}
- I tried the way that I used a filter -> split. It's okay, just the result is divided into more documents.
filter {
split {field => 'message'
target => 'results'
terminator => ';'
}
- Then I tried filter -> mutate -> split, it all made me into 1 document again, but differently than I wish.
filter {
mutate {
# split the field on
split => ["message", ""
}}
I also thought of using the transpone function in ruby, but that could only be used if the number of elements of the result were stable, but it is not.
How could I please achieve output in only one document?
I am sending the current code below (this is version only for testing, so input and output is like that:D):
input {
stdin{}
}
filter {
split {field => 'message'
target => 'results'
terminator => ';'
}
ruby {
code => "
mat = event.get('results').scan(/'(.*?)'/).uniq
event.set('constant', mat.flatten)
" }
ruby {
code => "
mat = event.get('results').scan(/= '(.*?)'/).uniq
event.set('=constant', mat.flatten" }
}
output{
stdout{}}