How to create new fields and documents based on variable length log?

san_sun · May 12, 2020, 7:09pm

I have a log message with a format like:
status : name message ; status: name message ; status: name message ; status: name message.....

I need to split based on the semicolon, and create separate Elasticsearch documents that have fields for each of status, name and message. For example, if my log message was like this:
WARNING: A B ; CRITICAL: C D ; OK E F ; CRITICAL G H
Then I would need four different documents. The first document would have three fields, where status is WARNING, name is A and message is B. The second document would have status CRITICAL, name C and message D, and so on.

How do I do this?

Badger · May 12, 2020, 11:17pm

I would start by using mutate+split to separate the string into an array of four (or fewer?) strings. Then use a split filter to make each string a separate document. Then use dissect or grok to pull out the three fields.

san_sun · May 13, 2020, 5:03am

That worked! Thank you

For future reference, in case someone else has a similar problem, here is a sample code:

filter {
    mutate {
        split => { "message" => ";" }
    }
    split {
        field => "message"
    }
    grok {
        match => { "message" => "%{WORD:level}: %{WORD:name} %{GREEDYDATA:msg}" }
        remove_field => ["message"]
    }
}

Topic		Replies	Views
How to split one line document into several documents using logstash? Logstash	2	175	March 14, 2024
Creating separate documents from log Logstash	4	2679	August 23, 2017
Splitting an event into multiple documents Logstash	5	4129	January 31, 2018
Creating separate elasticsearch docs with batched log messages Logstash	3	261	October 22, 2021
Create fields by splitting a log Logstash	8	1271	April 2, 2020

How to create new fields and documents based on variable length log?

Related topics