Create a new field by extracting data from two existing fields in Logstash

saifhitawala · July 13, 2017, 4:01pm

I have created two fields from my logs as shown below:

names: "LeBron", "Jordan", "Philips", "Samuel"
threepointers: "100", "100", "90", "50"

names and threepointers are both of type string. This data has already been extracted from the logs and the log looks something like this:

|1 = LeBron| 2 = 100 | 1 = Jordan | 2 = 100 | 1 = Philip | 2 = 90 | 1 = Samuel | 2 = 50 |

where I extract all the 1s and 2s using kv and field_split, include_keys methods and then mutate on these numbers to rename them to names and threepointers

I would like to create a new field - bestplayers containing all those player names having threepointers = 100 only.
So, essentially I would like to have a result like this:

bestplayers: "LeBron", "Jordan"

Any help would be appreciated! Thanks

magnusbaeck · July 13, 2017, 7:15pm

There's nothing built-in for this but a ruby filter can do it. Something like this perhaps:

event.set(
    'bestplayers',
    event.get('names').zip(event.get('threepointers')).select { |p| p[1] == 100 }.map { |p| p[0] })

system · August 10, 2017, 7:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to give customize name to fields and loop through logs Logstash	3	391	July 6, 2017
Create a field with information from another field Logstash	2	277	May 26, 2020
Extract From a Field Name and Add Fields Logstash	6	1644	February 26, 2020
Recreate new field from old field Logstash	2	246	December 4, 2020
How can update logstash field value? Logstash	4	1230	February 3, 2019

Create a new field by extracting data from two existing fields in Logstash

Related topics