How to split one line document into several documents using logstash?

jimmyb · February 15, 2024, 3:39pm

Hello All,

First time poster here.

I have a document coming into logstash which is just one field that references different logs however it has come into elastic as just one line.

For example the string within the "message" field is the following : "deviceId": "hostname123", "IP address" : "192.168.1.50", "device type" : "laptop"}]}}, "deviceid":"hostname124","IP address":"192.168.1.51"."device type" : "desktop"}]}},

This will go on the same line for about 10 devices when it should actual be a different document per device, at the end of the devices description there is alwaysthe characters }]}},

Is there a split I can do using something like regex within log stash where if new text comes after that characters }]}}, then put this into a different line / document?

I hope this makes sense!

Many Thanks,

Badger · February 15, 2024, 5:04pm

You could use mutate+split to convert the string to an array using "}]}}" as the separator. Then use a split filter to create one event per array entry.

system · March 14, 2024, 5:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.