How to create multiple events in logstash to push multiple request in elasticsearch

ajit · October 12, 2017, 1:22pm

I have logstash configuration. I want to take data from one event manipulate the data and create multiple events and push that events to elasticsearch.
e.g.
{
"activity" : "meeting",
"clientName" : "ABC/XYZ/LMN"
"Duration" : 60
}

above example shows my original event message.
But I want to divide that message into three json objects (events) like below:
{
"activity" : "meeting",
"clientName" : "ABC"
"Duration" : 20
},
{
"activity" : "meeting",
"clientName" : "XYZ"
"Duration" : 20
},
{
"activity" : "meeting",
"clientName" : "LMN"
"Duration" : 20
}

paz · October 12, 2017, 1:36pm

A decent solution would be the split filter along with some custom Ruby code most likely, especially if you want to do field manipulation like your duration example.

Example:

filter {
    ruby {
        code => "
            event.set('clientName', event.get('clientName').split('/'))
            event.set('Duration', event.get('Duration').to_i / event.get('clientName').length)
        "
    }
    split {
        field => "clientName"
    }
}

system · November 9, 2017, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.