Create a new field by extracting data from two existing fields in Logstash

saifhitawala · July 13, 2017, 4:01pm

I have created two fields from my logs as shown below:

names: "LeBron", "Jordan", "Philips", "Samuel"
threepointers: "100", "100", "90", "50"

names and threepointers are both of type string. This data has already been extracted from the logs and the log looks something like this:

|1 = LeBron| 2 = 100 | 1 = Jordan | 2 = 100 | 1 = Philip | 2 = 90 | 1 = Samuel | 2 = 50 |

where I extract all the 1s and 2s using kv and field_split, include_keys methods and then mutate on these numbers to rename them to names and threepointers

I would like to create a new field - bestplayers containing all those player names having threepointers = 100 only.
So, essentially I would like to have a result like this:

bestplayers: "LeBron", "Jordan"

Any help would be appreciated! Thanks

magnusbaeck · July 13, 2017, 7:15pm

There's nothing built-in for this but a ruby filter can do it. Something like this perhaps:

event.set(
    'bestplayers',
    event.get('names').zip(event.get('threepointers')).select { |p| p[1] == 100 }.map { |p| p[0] })

system · August 10, 2017, 7:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.