How can I join or paste array elements as of a one element?

german · April 1, 2023, 12:23am

Hi everybody,

First of all, thanks for your time.

I have a question regarding to Logstash. I would like to join some array elements as of a specific element. The log that I am processing, the first six fields have the same pattern, I mean, it always appears date in the first, second and third field, the server name in the fourth, class name in the fifth and log level in the sixth. The rest fields'll be variable. For that reason it came to my mind the idea to split the field message:

               "message" => [
        [0] "03/31/2023",
        [1] "07:10:00.005837",
        [2] "CST",
        [3] "elk1",
        [4] "(SFTPSource)",
        [5] "DEBUG4:",
        [6] "SFTPSource.listDirectory()",
        [7] "fileNames=[invalid_files_tmp.tar.gz,",
        [8] "invalid_files_tmp,",
        [9] "responseOIDLOA1_23032023_115452.txt]"
    ],

I did this with the next code:

mutate {

    split => { "message" => " " }

  }

ruby {
  code => "event.set('number_of_elements', event.get('message').length)"
}

So, I would like to join the fields as of seventh element array up to the last element. Last number element it'd be saved in 'number_of_elements' which I got using ruby module.

How can I join or paste the rest elements to a new variable?

Thanks.

Badger · April 1, 2023, 1:02am

You could try something like

    ruby {
        code => '
            m = event.get("message")
            if m.is_a? Array
                event.set("someField", m.last(m.length - 6).join(" "))
            end
        '
    }

german · April 1, 2023, 3:08am

Thanks for your answer.

It works:

             "**someField**" => "Connection is alive: sun.nio.ch.UnixAsynchronousSocketChannelImpl[connected local=/10.13.11.82:47586 remote=/10.13.11.82:8158]",
            "@timestamp" => 2023-04-01T00:01:47.838Z,
               "message" => [
        [ 0] "03/31/2023",
        [ 1] "08:30:41.734021",
        [ 2] "CST",
        [ 3] "Shared-Executor-2089",
        [ 4] "(DefaultConnection$Ping)",
        [ 5] "DEBUG3:",
        [ 6] "Connection",
        [ 7] "is",
        [ 8] "alive:",
        [ 9] "sun.nio.ch.UnixAsynchronousSocketChannelImpl[connected",
        [10] "local=/10.13.11.82:47586",
        [11] "remote=/10.13.11.82:8158]"
    ],

Regards.

system · April 29, 2023, 3:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Concatenate multi arrays into one using ruby Logstash	6	2701	July 22, 2019
How to find last element of array in logstash Logstash	5	3576	August 27, 2020
Splitting multiple arrays in Logstash to create multi events Logstash	4	1727	July 29, 2019
Concatenate / join values of tags into one field Logstash	3	260	April 22, 2022
Split array fields in logstash Logstash	22	10535	June 7, 2017

How can I join or paste array elements as of a one element?

Related topics