Determine when to stop capturing event and start another one

sahar_q · May 17, 2017, 10:13am

Hi guys, say im sending an data to log stahs through http, the data is separated in commas and each line represent and single event (that i want it to be independent as a document)
Data for example:

"192.168.0.1","255.255.255.245","01-00-5e-40-98-8f","static"|
"192.168.0.1","255.255.255.250","01-00-5e-7f-ff-fa","static"|
"192.168.0.1","255.255.255.255","ff-ff-ff-ff-ff-ff","static"|

i used csv filter like so :

csv {
columns => [
"interface",
"ip address",
"physical address",
"type"
]
separator => ","
}

and i want each line to be represented as a document with this filter, but i dont quite get how do i seperate the events.

Edit: Problem solved.

warkolm · May 21, 2017, 12:00am

Is the | the delimiter int he http body?

sahar_q · May 28, 2017, 12:44pm

yes it is
Edit: Problem solved.

warkolm · May 28, 2017, 8:47pm

How did you solve it?

sahar_q · May 29, 2017, 8:07am

I decided to use split{} and grok in order to get what i want.
the full input is recived via http and this is the config i used:

filter{
mutate {
remove_field => ["headers"]
}
split {
field => "message"
terminator => "|"
}
grok {
match => {"message" => ["%{IP:interface},%{IP:internet_address},%{MAC:physical_address},%{WORD:type}"]}

}
}

Topic		Replies	Views
Separate Message into different event Logstash	5	372	June 13, 2018
Simple Split filter Logstash	5	340	May 10, 2019
Help ingesting Data Logstash	3	226	August 14, 2023
Message not splitting into events on new line Logstash	4	2246	October 21, 2020
How to split one line document into several documents using logstash? Logstash	2	176	March 14, 2024

Determine when to stop capturing event and start another one

Related topics