How to split one line document into several documents using logstash?

jimmyb · February 15, 2024, 3:39pm

Hello All,

First time poster here.

I have a document coming into logstash which is just one field that references different logs however it has come into elastic as just one line.

For example the string within the "message" field is the following : "deviceId": "hostname123", "IP address" : "192.168.1.50", "device type" : "laptop"}]}}, "deviceid":"hostname124","IP address":"192.168.1.51"."device type" : "desktop"}]}},

This will go on the same line for about 10 devices when it should actual be a different document per device, at the end of the devices description there is alwaysthe characters }]}},

Is there a split I can do using something like regex within log stash where if new text comes after that characters }]}}, then put this into a different line / document?

I hope this makes sense!

Many Thanks,

Badger · February 15, 2024, 5:04pm

You could use mutate+split to convert the string to an array using "}]}}" as the separator. Then use a split filter to create one event per array entry.

system · March 14, 2024, 5:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Creating separate documents from log Logstash	4	2573	August 23, 2017
Split Value into different document Logstash	2	166	June 28, 2023
Split document into multiple documents Logstash	13	1473	May 25, 2022
Splitting an event into multiple documents Logstash	5	4025	January 31, 2018
Split json array into multiple documents Logstash	2	639	June 28, 2023

How to split one line document into several documents using logstash?

Related topics