Logstash csv - Filters only rows with specific column count

Lubos_Marek · January 2, 2020, 12:24pm

Hello,
I have a log file (*.csv) with this specifific structure
datetime;level; statuscode; message

Sometimes missing the "statuscode" and that row has only 3 columns (datetime;level;message).

Can I somehow skip rows with 3 columns?

input {

  file {

    path => ["/usr/share/logstash/data1/*.csv"]

    start_position => "beginning"

    sincedb_path => "/dev/null"

  }

}

filter {

  csv {

    separator => ";"

    columns => ["datetime", "level", "statuscode", "message"]

  }

}

output {

  elasticsearch {

    hosts => ["http://host.docker.internal:9200"]

    index => "log"

  }

}

rugenl · January 2, 2020, 1:08pm

Something like this filter might work:

  ruby {
    code => 'if event.get("[message]).count(\";\") < 3
      event.cancel
    end'
  }

"Might" because some of the examples I used were the "old" ruby syntax before we needed to use "event.get".

The idea is that if there are less than 3 separator chars, there aren't 4 columns.

That CSV should have ";;" to designate the statuscode is null instead of this format.

system · January 30, 2020, 1:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can we use " :: " as a separator in csv filter in logstash Logstash	4	981	September 29, 2020
Parsing csv and conditions Logstash	2	288	January 7, 2020
CSV filter not working properly Logstash	3	549	March 25, 2022
How do I conditionally parse a CSV into different columns? Logstash	2	247	August 13, 2021
Restrict Logstash to map values to its specific Columns Using CSV filter Logstash	2	870	July 6, 2017

Logstash csv - Filters only rows with specific column count

Related topics