How to Split the one field into multiple fields using kv plugins

Badger · March 13, 2019, 12:53pm

If an example of log_message is

(Institution Id->77) (data Id->127) QUERY-> insert into tablename1(col1,col2) values(val1,val2) ERROR->Table 'tablename1' doesn't exist

Then you could parse that (and the other 2) using this

    grok { match => { "log_message" => "^%{DATA:prefix}QUERY\-> %{DATA:query} ERROR(: |\->)%{DATA:error}$" } }
    if [prefix] {
        ruby {
            code => '
                m = event.get("prefix").scan(/\(([^-]+)\->([^\)]+)\)/)
                m.each.each { |k, v|
                    event.set(k, v)
                }
            '
        }
    }

In the ruby filter the scan function matches a regexp against the "prefix" field. The regexp looks for (key->value) patterns and returns an array of them. Each match is on entry in the array, and that entry itself is an array, the first entry of which is the key, and the second is the value.

Topic		Replies	Views
How to use split filter on the field using logstash Logstash	5	6149	March 27, 2019
Split field into multiple fields Logstash	4	1160	October 15, 2021
Single key (field) with multiple values to multiple key (fields) with single fields convertion Logstash	3	643	November 14, 2019
Split a specific csv column into multiple fields Logstash	3	473	December 8, 2021
Split an output of a kv filter Logstash	5	661	July 5, 2019

How to Split the one field into multiple fields using kv plugins

Related topics