I have a log looking like:
[2020-09-18 12:34 smth1=38 smth2=125 ... ]
and I want "smth1" to be a field name and "38" its value, what would be best way to do it considering that "smth1" might be different each time?
%{TIMESTAMP_ISO8601:time}%{SPACE}smth1=%{NUMBER:smth1:float} would be hardcoded way I want to avoid.
Use a dissect filter to take off the date, then use a kv filter.
dissect { mapping => { "message" => [%{timestamp} %{+timestamp} %{restOfLine}" } }
kv { source => "restOfLine" }© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.