Hi,
What I am trying to do is , if the unformatted text is like
updating demand record with key:202107231924440412212356|current demand quantity:1|quantity getting reduced:1|shipmentno:170801380
then I want to create field like key,quantity, shipmentno. I don't want to predefine the fields. This will help me to run stats on some unformatted logs for a specific field, lets say 'shipmentno'
You could try something like
dissect { mapping => { "message" => "updating demand record with %{[@metadata][restOfLine]" } }
kv { field_split => "|" value_split => ":" }Actually the string might change. As an example lets say,
1st String is: Creating ShipmentNo:1234
2nd string is: Processing ShipmentNo:1234
3rd string can be : Reducing demand for ShipmentNo:1234 and reduced Quantity:2
In all the above cases, I want a ShipmentNo field getting populated. I can't predefine what will be the format of the string or what are the fields expected. All I want to declare is, if logstash finds a ':' operator, then the word appears before ':' needs to be the field name and word follows the ':' needs to be the value.
OK, I would use ruby for that. Something like this. You would not need to grok, just the ruby filter and
m = event.get("message").scan(/(\w+):(\w+)/)This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.