How to take the first two lines after splitting on new lines

Elastic Stack Logstash
1

I want to store first two lines in one of my logs in a different variable using split() function of Mutate filter and then concatenating using a delimiter like comma, is that possible using split() and add_field() commands ? I didn't find much examples of using split() function. I want to take the first two lines in stacktrace as exception.
I tried something like this:

  mutate { add_field => { "exception" => "%{stacktrace}" } }
  mutate { split => { "exception" => "\n\t" } } 
  mutate { update => { "exception" => {%{exception}[0] + %{exception}[1]  } } }

But get compile error, "/n/t" is the delimiter

I also tried with the ruby filter but it is not splitting at all

 if [stacktrace]{
    mutate { add_field => { "exception" => "%{stacktrace}" } }
    ruby {
      code => 
        "
          exception_array = event['exception'].split('\n\t')
          event['exception'] = exception_array[0] + '->' +  exception_array[1]
         "
      
    }
  }

my log lines are separated by "\n\t" and they look like:

"org.someException: Some message\n\tat some.package(SomeClass.java:1000)\n\tat some.package(SomeClass.java:1000)\n\tat...

2

What is the compile error? At first glance, it looks like you're trying to give a curly-brace thing in the update directive, but we need a string there, perhaps something like this:

  mutate { update => { "exception" => "%{exception[0]} -> %{exception[1]}" } }

In ruby, a single-quoted string does not convert backslash-escaped character sequences, so your '\n\t' is being interpreted literally as the four-character sequence backslash+n+backslash+t. Off the top of my head, the only way around this would be to provide the code in single-quote block, and to use double-quotes inside it:

 if [stacktrace]{
    mutate { add_field => { "exception" => "%{stacktrace}" } }
    ruby {
      code => 
        '
          exception_array = event["exception"].split("\n\t")
          event["exception"] = exception_array[0] + "->" +  exception_array[1]
        '
    }
  }
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.