How to Handle Metadata in File Headers

Badger · February 8, 2019, 1:02am

Try something like

    if [message] == "[Metadata]" or [message] == "[Events]" or [message] =~ /^$/ {
        drop {}
    } else {
        if [message] =~ /^[0-9a-zA-Z]+:/ {
            dissect { mapping => { "message" => "%{key}: %{value}" } }
            ruby {
                init => '
                    @@metadata = {}
                '
                code => '
                    @@metadata[event.get("key")] = event.get("value")
                '
            }
            drop {}
        } else {
            ruby {
                code => '
                    event.set("metadata", @@metadata)
                '
            }
        }
    }

Essentially, if the line looks like "key: value" then stash it as metadata. If it does not then add all the stashed metadata items to the event.

I think this requires "--pipeline.workers 1"

This kind of ruby solution tends to be fragile, and has to be tuned to the input.

I use a class variable (@@metadata) rather than an instance variable (@metadata) because we need the same variable to visible across multiple ruby filters.

Topic		Replies	Views
Parse log file with two formats in it Logstash	6	560	March 5, 2019
Can I attach a messages byte-count as a metadata field? Logstash	7	2003	July 6, 2017
Using metadata in file input plugin and elasticsearch output plugin Logstash	1	564	January 25, 2019
Can I read input file's metadata (file creation time) through logstash? Logstash	3	883	March 7, 2018
Create new field with metadata content Logstash	5	469	July 13, 2018

How to Handle Metadata in File Headers

Related Topics