How to split one line document into several documents using logstash?

jimmyb · February 15, 2024, 3:39pm

Hello All,

First time poster here.

I have a document coming into logstash which is just one field that references different logs however it has come into elastic as just one line.

For example the string within the "message" field is the following : "deviceId": "hostname123", "IP address" : "192.168.1.50", "device type" : "laptop"}]}}, "deviceid":"hostname124","IP address":"192.168.1.51"."device type" : "desktop"}]}},

This will go on the same line for about 10 devices when it should actual be a different document per device, at the end of the devices description there is alwaysthe characters }]}},

Is there a split I can do using something like regex within log stash where if new text comes after that characters }]}}, then put this into a different line / document?

I hope this makes sense!

Many Thanks,

Badger · February 15, 2024, 5:04pm

You could use mutate+split to convert the string to an array using "}]}}" as the separator. Then use a split filter to create one event per array entry.

system · March 14, 2024, 5:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split Value into different document Logstash	2	165	June 28, 2023
Split json array into multiple documents Logstash	2	630	June 28, 2023
Each log line is split into a different document in Elastic Logstash	4	297	August 9, 2023
Separate Documents from log (JSON) Logstash	0	11	October 21, 2024
Logstash filter : Split plugin doesn't seems to work Logstash	9	5629	July 6, 2017

How to split one line document into several documents using logstash?

Related Topics