Logstash and Split

riahc3 · March 16, 2021, 11:27am

Hello

I have the following fields (data is example):

ForwardedIpAddress 1.2.3.4,4.3.2.1
IpAddress 1.2.3.4,4.3.2.1

Would I would like to end up with is:

ForwardedIpAddress1 1.2.3.4
ForwardedIpAddress2 4.3.2.1
IpAddress1 1.2.3.4
IpAddress2 4.3.2.1

I think the best method is using the Split plugin BUT I think I need something else to make the result go in new fields

To me it would be something like

filter {
 split {
   field => "ForwardedIpAddress"
   target => "ForwardedIpAddress"
 }
}

filter {
 split {
   field => "IpAddress"
   target => "IpAddress"
 }
}

But besides this, I dont know how to seperate them into two different fields.

Badger · March 16, 2021, 3:18pm

I think you would need to use ruby to do that. I have not tested it but something like...

ruby {
    code => '
        [ "ForwardedIpAddress", "IpAddress" ].each { |field|
            f = event.get(field)
            if f
                f = f.split(",")
                f.each_index { |x|
                    event.set("#{field}#{x}", f[x])
                }
            end
        }
    '
}

riahc3 · March 16, 2021, 3:37pm

Badger:

ruby {
    code => '
        [ "ForwardedIpAddress", "IpAddress" ].each { |field|
            f = event.get(field)
            if f
                f = f.split(",")
                f.each_index { |x|
                    event.set("#{field}#{x}", f[x])
                }
            end
        }
    '
}

I can I do it by seperated ? I think it would help me understand it better.

I do not understand Ruby so the code you inputed...I THINK I see a foreach in there but....

riahc3 · March 18, 2021, 2:41pm

This worked but the issue is that I dont understand it well.

Badger · March 18, 2021, 5:56pm

This performs the contents of the code block (surrounded by {}) for each member of the array [ "ForwardedIpAddress", "IpAddress" ], substituting the value of the member for the field variable.

    [ "ForwardedIpAddress", "IpAddress" ].each { |field|

Get the value of the field with the name of the field variable (i.e., first [ForwardedIpAddress], then in the next iteration [IpAddress]) and assign it to f

        f = event.get(field)

Verify that the field exists. If it does not then event.get returns nil and the if will test false

        if f

Split the field into an array using a comma as the separator

            f = f.split(",")

For each member of that array

            f.each_index { |x|

Set a field on the event with the name ForwardedIpAddress0 equal to the first member of the array derived from ForwardedIpAddress etc. This is string interpolation.

                event.set("#{field}#{x}", f[x])

system · April 15, 2021, 5:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.