Hi,
I'm using dissect filter to quickly parse data. Then i would like to use kv to divide one of the newly created field into many values.
new field:
field1=value1,field2=value2,field3=[abc, abc2, abc3],field4=value4
dissect
field1=%{field1},field2=%{field2},field3=%{field3},field4=%{field4}
Dissect works fine (i'm filtering out "[" and "]", but how can I create appriopriate kv filter?
This does not appear to work:
kv {
source => "field3"
field_split => ", "
}
field3 appears to be csv, not kv.
Ok,
Still something is wrong
if:
csv {
source => "field3"
separator => ", "
}
Error parsing csv {:field=>"field3", :source=>"", :exception=>#<NoMethodError: undefined method `each_index' for nil:NilClass>}
Update:
After changing ", " to "," it works (9 out of 10 times, rest error :exception=>#<NoMethodError: undefined method `each_index' for nil:NilClass), but instead of putting multiple value into role field it creates new fields "columns". Target => "role" does not work.
Not sure what to say. With
dissect { mapping => { "message" => "field1=%{field1},field2=%{field2},field3=[%{field3}],field4=%{field4}" } }
csv { source => "field3" separator => ", " target => "role" }
I get
"role" => {
"column2" => "abc2",
"column1" => "abc",
"column3" => "abc3"
},And how to change to this:
csv {
source => "field3"
separator => ", "
target => "field3"
}
I do not want any new columns fields, I only want one "field3" multivalue field
If you want field3 to be an array get rid of the csv filter and use
mutate { split => { "field3" => ", " } }
which gets you
"field3" => [
[0] "abc",
[1] "abc2",
[2] "abc3"
],Thank you 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.