How can I join or paste array elements as of a one element?

german · April 1, 2023, 12:23am

Hi everybody,

First of all, thanks for your time.

I have a question regarding to Logstash. I would like to join some array elements as of a specific element. The log that I am processing, the first six fields have the same pattern, I mean, it always appears date in the first, second and third field, the server name in the fourth, class name in the fifth and log level in the sixth. The rest fields'll be variable. For that reason it came to my mind the idea to split the field message:

               "message" => [
        [0] "03/31/2023",
        [1] "07:10:00.005837",
        [2] "CST",
        [3] "elk1",
        [4] "(SFTPSource)",
        [5] "DEBUG4:",
        [6] "SFTPSource.listDirectory()",
        [7] "fileNames=[invalid_files_tmp.tar.gz,",
        [8] "invalid_files_tmp,",
        [9] "responseOIDLOA1_23032023_115452.txt]"
    ],

I did this with the next code:

mutate {

    split => { "message" => " " }

  }

ruby {
  code => "event.set('number_of_elements', event.get('message').length)"
}

So, I would like to join the fields as of seventh element array up to the last element. Last number element it'd be saved in 'number_of_elements' which I got using ruby module.

How can I join or paste the rest elements to a new variable?

Thanks.

Badger · April 1, 2023, 1:02am

You could try something like

    ruby {
        code => '
            m = event.get("message")
            if m.is_a? Array
                event.set("someField", m.last(m.length - 6).join(" "))
            end
        '
    }

german · April 1, 2023, 3:08am

Thanks for your answer.

It works:

             "**someField**" => "Connection is alive: sun.nio.ch.UnixAsynchronousSocketChannelImpl[connected local=/10.13.11.82:47586 remote=/10.13.11.82:8158]",
            "@timestamp" => 2023-04-01T00:01:47.838Z,
               "message" => [
        [ 0] "03/31/2023",
        [ 1] "08:30:41.734021",
        [ 2] "CST",
        [ 3] "Shared-Executor-2089",
        [ 4] "(DefaultConnection$Ping)",
        [ 5] "DEBUG3:",
        [ 6] "Connection",
        [ 7] "is",
        [ 8] "alive:",
        [ 9] "sun.nio.ch.UnixAsynchronousSocketChannelImpl[connected",
        [10] "local=/10.13.11.82:47586",
        [11] "remote=/10.13.11.82:8158]"
    ],

Regards.

system · April 29, 2023, 3:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.