I have a field "msg_string" in my logs which has multiple fields saparated by tilda "~"
e.g. msg_string =firstname~lasname~city~hobby~marks ...
position of fields firstname,lastname are at index 0 and 1
the position of field city is not fixed i can appear anywhere in msg_string hence i am using look up with city names. I am using split to saparate out fields in msg_string and extract firstname and lastname
I have a file with city names for look up i want to add a field name city using lookup file
how to do it please help.
split => ["msg_string","~"]
add_field => {"firstname"=> "%{[msg_string][0]}"}
add_field => {"lastname"=> "%{[msg_string][1]}"}
Can you not use a cab filter with “~” as a separator or perhaps a dissect filter?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.