How many times does a character appear?

JimP · August 21, 2018, 7:57pm

I would like to be able to find out how many times a character appears in a field. Is this possible with grok or some other filter?

To explain, we are getting beats from multiple sources, and multiple departments in my company. There is a standardized field, that has a delimiter character, which I use dissect its data. However, we have a new division that needs more information and wants to increase the amount of delimited data in this field. The issue I have is that the added information is an inside delimited value. The below is a quick example, where there is an extra value ( -loc- ) inside. And, of course there are very different rules for processing these.

My thought is to count how many dashes there are to know how to process. Is this doable in a Logstash filter (grok?), or is there another approach that I should consider?

For example:

div-dept-unit-app
000-123-6589-652

div-dept-loc-unit-app
000-123-112-6589-652

JimP · September 5, 2018, 1:16pm

Would the logstash kv filter be able to do this?

JimP · September 5, 2018, 6:54pm

filter {
  mutate {
    add_field => ["dotcount"]
  }
  
  ruby {
    code => "dotcount = message.count(\".\")"
  }
}

system · October 3, 2018, 6:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.