pvxchain
June 8, 2021, 6:41pm
1
Hello
I'm trying to create two events out of one so that the subsequent pipeline takes place in both.
The event itself, before the split happens here:
filter {
if [type] == "pre-split" {
mutate {
replace => {"value_1" => "value_1_pre"}
replace => {"value_2" => "value_2_pre"}
replace => {"value_3" => "value_3_pre"}
replace => {"value_4" => "value_4_pre"}
}
}
}
My idea is to separate this event into two, the first with the values 1 and 2 and the second with the values 3 and 4.
It is not clear to me if what I want is possible or if it is with the split filter that I have to do it.
I'm a bit stuck on this topic and a little help would be great for me. Thanks in advance!
A split filter is used to take each entry in an array and create an event for it. (It can also split a delimited string into an array and then do the same.)
I think what you want is a clone filter.
clone { clones => [ "theClone" ] }
if [type] == "theClone" {
# Do one thing
} else {
# Do another
}
1 Like
pvxchain
June 8, 2021, 8:53pm
3
Thanks @Badger !
So the idea would be something like this?
filter {
if [type] == "pre-split" {
mutate {
replace => {"value_1" => "value_1_pre"}
replace => {"value_2" => "value_2_pre"}
replace => {"value_3" => "value_3_pre"}
replace => {"value_4" => "value_4_pre"}
}
clone { clones => [ "value12" ] }
if [type] == "value12" {
mutate { remove_field => [ "value_3_pre","value_4_pre" ] }
} else {
mutate { type => "value34" }
mutate { remove_field => [ "value_1_pre","value_2_pre" ] }
}
}
}
So I understand that the two "events" that have been generated from the original will be processed separately as shown in the following image?
I have made this drawing (sorry for my lack of artistics) that I don't know if it would help to understand what I want to do:
system
July 6, 2021, 8:59pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
