Extract From a Field Name and Add Fields

I need to copy the dynamic "MODEL" from the field name and copy the value "RandomSerial" to new fields.

When "MODEL" and "RandomSerial" will be different for all messages.

Logstash Output:

"Serial Number (MODEL)" => "RandomSerial"

To this:

"Model" => "MODEL"
"Serial Number" => "RandomSerial"

My thought is this would require ruby code which I'm not familiar with.

Thanks!

I didn't understand question.
where is model comes from?

if your output is
"Serial Number ( MODEL )" => " RandomSerial "
that means field = serial number(model)
and value of that is RandomSerial.

where is this value for Model is coming from?

This is how I am seeing your post
Field => value

You could do that with either dissect or grok, it should not require ruby.

The fields and values are being populated with a ruby script from nested JSON. This thread shows all the configs associated. Utilize Data Parsed From Nested JSON

OK, I think I misunderstood. You have a field on the event with a variable field name "Serial Number ( MODEL )" and its value is "RandomSerial"? You want to rename the field to a fixed value and also extract the variable part of the field name as the value of a field called [Model]? That will definitely require ruby.

I don't have time to test this but you could start with something like:

code => '
    event.to_hash.each { |k, v|
        if k.start_with?("Serial Number (")
             event.set("Model", k.gsub("[^(]+\(", "").gsub(")$", ""))
             event.set("SerialNumber", v)
        end
    }
'

Apologies if my ruby code (like the double gsub) makes your eyeballs bleed.

I recommend against using space in field names (hence [SerialNumber] instead of [Serial Number]).

That worked as is, thanks for your Ruby help again!

I have a question about the other code you supplied me in the other thread.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.