I want to split from filed value using logstash

dharminfadia · May 10, 2023, 9:27am

Hello Everyone

I am trying to split recipient-status feild first 3 digit and want to add in to new feild I tried mutate split and add filed but no luck can any one suggest how I can achive this ???

Sample logs

05/01/23 23:59:57 SMTP-OU 0CAB49668DD74D988109ASDEDFA0E602.MAI 1796 0.0.0.0 CONN 220 docomo.ne.jp ESMTP Service Ready 0 38 =?utf-8?B?44GC44Gq44Gf44Gu54Sh5paZ44Gu5q+N44Gu5pel44Kq44O8?=

Logstash Configuration

input {
stdin { }
}

filter {
csv {
separator => " "
columns => ["datetime","transactiontype","messageid","remoteport","remoteip","smtocommand1","smtpcommand2","recipient-status","BytesRecv","BytesSent","column11","subject"]
}
}

filter {
mutate {
remove_field => ["[event][original]"]

remove_field => ["message"]

}
}

filter {
mutate {
gsub => [
"subject", "=?\w{3}-\d?\w?.*", ""

]
}
}

filter{
mutate {
split => { "recipient-status" => "\d{3}" }
add_field => { "statuscode" => "%{[recipient-status][0]}"}
}
}

output {
stdout {
codec => rubydebug
}
}

cperzrt10 · May 10, 2023, 3:09pm

Have you try grok? Because if you aply the split by spaces it will fail your sample data have more spaces that columns.

With grok you can use regular expresions to mach and catch the data with all your requirements

dharminfadia · May 10, 2023, 4:02pm

Hello @cperzrt10

Thank you for reply

I tried first with grok pattern but the problem is my file having 40-50 lacs raw and all every time detect new pattern so I choose this option this thing is split with tab and count as csv
delimetter but I want to perfrom so field slipt and that value I want to add in to new feild so any one have Idea they can help me..

warkolm · May 10, 2023, 10:27pm

@dharminfadia please don't ping people that aren't already taking part in your topic like that.

dharminfadia · May 11, 2023, 2:26am

Ok thank you for reply

cperzrt10 · May 11, 2023, 6:38am

But you dont indicate the tab in the split filter you put space

filter {
  csv {
    separator => " "
    columns => ["datetime","transactiontype","messageid","remoteport","remoteip","smtocommand1","smtpcommand2","recipient-status","BytesRecv","BytesSent","column11","subject"]
  }
}

I think that the tab separator is

separator => "	"

dharminfadia · May 11, 2023, 6:59am

@cperzrt10

Thank you for reply

Actully for CSV filter \t is not working we have to manually tab between quots so that's the reason I metnion instead of \t to tab so it is showing space..

cperzrt10 · May 12, 2023, 6:12am

Can you post the sample post using the blockquote option to see the tabs?

system · June 9, 2023, 6:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need to Split the Value in the Message Logstash	1	223	July 14, 2020
Create fields by splitting a log Logstash	8	1226	April 2, 2020
Regarding Split filter in mutate Logstash	4	221	July 28, 2022
Further split logstash output for a particular field Logstash	2	547	June 15, 2017
Problem with "split" and "add_field" in mutate filter Logstash	5	5461	December 19, 2019

I want to split from filed value using logstash

remove_field => ["message"]

Related Topics