I am using ruby filter for splitting the fields any suggestions

Log file ::

20:03:45 info to agent 1003:4:45|1003:47:53|2003:44:78|2003:45:87|2003:21:34

I dropped first 3 filelds using grok and greedy data last part
Logs “ 1003:4:45|1003:47:53|2003:44:78|2003:45:87|2003:21:34”
filter{
Fieldsplit_pattern=> ‘\+|’
Value_split => :
Target=> kv
}
ruby{
code=>”

Source=> Logs
hash = event.get(kv)
hash.each { | key,value|
event.set(key,value.gsub!(/[0-9]+:/, ‘’))
end
}

}
Output:
1003=>[[0] “4:45”,
[1]”47:53”]

2003=>[[0]”44:78”
[1]”45:87”
[2]”21:34”]

Expected output
1003=>45
1003=>53
2003=>78
2003=>87
2003=>34

Hey,
Just a quick one, I am sure there is was shorter/ quicker way of doing this

For this above, with this format, the below ruby script can grab the data and preform the split of "|" and the ruby filter.

ruby {
  code => "
    i = event.get('[greedy_data_field]')
     a = i.split('|')
       b = a[0].split(':')[0] + ' ' + a[0].split(':')[2]
       c = a[1].split(':')[0] + ' ' + a[1].split(':')[2]
       d = a[2].split(':')[0] + ' ' + a[2].split(':')[2]
       e = a[3].split(':')[0] + ' ' + a[3].split(':')[2]
       f = a[4].split(':')[0] + ' ' + a[4].split(':')[2]
    event.set('[entry_field_1]', b)
    event.set('[entry_field_2]', c)
    event.set('[entry_field_3]', d)
    event.set('[entry_field_4]', e)
    event.set('[entry_field_5]', f)
  "
}

i.e.

#gets 1003:4:45 splits to show 1003 45
b = a[0].split(':')[0] + ' ' + a[0].split(':')[2]
#gets 1003:47:53 splits to show 1003 53
c = a[1].split(':')[0] + ' ' + a[1].split(':')[2]
#gets 2003:44:78 splits to show 2003 78
d = a[2].split(':')[0] + ' ' + a[2].split(':')[2]
#gets 2003:45:87 splits to show 2003 87
e = a[3].split(':')[0] + ' ' + a[3].split(':')[2]
#gets 2003:21:34 splits to show 2003 34 
f = a[4].split(':')[0] + ' ' + a[4].split(':')[2]

Thanks for quick reply if we have n number of fields this might not work

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.