How to parse duplicated keys with different values

ddoroshenko · November 11, 2021, 1:27pm

Hello!

I'm trying to parse CheckPoint log which contains duplicated keys but with different values.
For example ... match_id:"555"; match_id:"777"; ...

When I use kv plugin

kv {
  source => "message"
  field_split => ";"
  value_split => ":"
  trim_key => " "
}

I get something like match_id: 555, 777

Is it possible to get result as

match_id.1: 555
match_id.2: 777

and then rename these fields to

match.id.1: 555
match.id.2: 777

?

Thank you

Badger · November 11, 2021, 4:33pm

Use a ruby filter. Something like this.

ddoroshenko · November 19, 2021, 9:18am

@Badger thank you for your advice
I've add this code to the filter

ruby {
    code => '
      event.get("match_id").each_with_index { |x, i| event.set( "[match][id][#{i}]", x) }
      '
  }

And what I see in Kibana

match.id.0     1970-01-01T00:00:00.555Z
match.id.1     1970-01-01T00:00:00.777Z

What could be the problem?

UPD: Reindex solved the problem

ddoroshenko · November 19, 2021, 9:33am

Reindex solved the problem

system · December 17, 2021, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.