Hello!
I'm trying to parse CheckPoint log which contains duplicated keys but with different values.
For example ... match_id:"555"; match_id:"777"; ...
When I use kv plugin
kv {
source => "message"
field_split => ";"
value_split => ":"
trim_key => " "
}
I get something like match_id: 555, 777
Is it possible to get result as
match_id.1: 555
match_id.2: 777
and then rename these fields to
match.id.1: 555
match.id.2: 777
?
Thank you 
Use a ruby filter. Something like this.
@Badger thank you for your advice
I've add this code to the filter
ruby {
code => '
event.get("match_id").each_with_index { |x, i| event.set( "[match][id][#{i}]", x) }
'
}
And what I see in Kibana
match.id.0 1970-01-01T00:00:00.555Z
match.id.1 1970-01-01T00:00:00.777Z
What could be the problem?
UPD: Reindex solved the problem
Reindex solved the problem
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.