How to parse duplicated keys with different values

ddoroshenko · November 11, 2021, 1:27pm

Hello!

I'm trying to parse CheckPoint log which contains duplicated keys but with different values.
For example ... match_id:"555"; match_id:"777"; ...

When I use kv plugin

kv {
  source => "message"
  field_split => ";"
  value_split => ":"
  trim_key => " "
}

I get something like match_id: 555, 777

Is it possible to get result as

match_id.1: 555
match_id.2: 777

and then rename these fields to

match.id.1: 555
match.id.2: 777

?

Thank you

Badger · November 11, 2021, 4:33pm

Use a ruby filter. Something like this.

ddoroshenko · November 19, 2021, 9:18am

@Badger thank you for your advice
I've add this code to the filter

ruby {
    code => '
      event.get("match_id").each_with_index { |x, i| event.set( "[match][id][#{i}]", x) }
      '
  }

And what I see in Kibana

match.id.0     1970-01-01T00:00:00.555Z
match.id.1     1970-01-01T00:00:00.777Z

What could be the problem?

UPD: Reindex solved the problem

ddoroshenko · November 19, 2021, 9:33am

Reindex solved the problem

Topic		Replies	Views
Logstash filtering Logstash	9	385	April 26, 2019
Repeated keys converted to array Logstash	6	568	July 6, 2017
Kv Filter - allow_duplicate_values different behavior Logstash	7	648	April 28, 2020
Logstash rewrite value for the same key instead of append Logstash	2	400	December 17, 2021
Single key (field) with multiple values to multiple key (fields) with single fields convertion Logstash	3	706	November 14, 2019