Logstash filter not able to split

Hi Gurus,
please help me out . I am trying to split the nested fields in log files but not able to do .Could you please help me out .
He is the sample file:
Mon May 30 00:30:26 PDT 2016
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr m0 m1 m2 m3 in sy cs us sy id
4 0 0 2480 3628804 0 0 0 0 0 0 0 5 0 0 0 0 0 0 0 0 99
0 0 0 2480 3628712 0
Mon May 30 00:40:54 PDT 2016
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr m0 m1 m2 m3 in sy cs us sy id
4 0 0 2480 3710276 0 0 0 0 0 0 0 5 0 0 0 0 0 0 0 0 99
1 0 0 2480 3710336 0 0 0 0 0 0 0 0 0 0 0 ..
when i was trying to split the data it is not able to split i got the ouput as follows:

PFA ' p1'

p1.png993×492 21.1 KB

In the above index data is shown in a single message rather than spliting an individual events.
But the expecting output should be similar in selected fields as
Kthr.r
kthr.b
kthr.w
memory.free...so on
for this i have done splitting using the below code:

input { 
	file {
path => "C:\hrd\vmst1.csv"
type => "log"
start_position => beginning

  } 
}

filter {
	if [type] == "vmstat" {
		if [message] =~ "^procs" {
			drop {}
		}
		csv {
			separator => " "
			columns => ["vmstat.r", "vmstat.b", "vmstat.w", "vmstat.swap" ,"vmstat.free", "vmstat.re", 
			"vmstat.mf", "vmstat.pi", "vmstat.po", "vmstat.fr", "vmstat.de", "vmstat.sr", 
			"vmstat.m0", "vmstat.m1", "vmstat.m2", "vmstat.m3", "vmstat.in", "vmstat.cs","vmstat.us","vmstat.sy","vmstat.id"]
		}
		mutate {
			convert => [
				"vmstat.r", "integer",
				"vmstat.b", "integer",
				"vmstat.w", "integer",
				"vmstat.swap", "integer",
				"vmstat.free", "integer",
				"vmstat.re", "integer",
				"vmstat.mf", "integer",
				"vmstat.pi", "integer",
				"vmstat.po", "integer",
				"vmstat.fr", "integer",
				"vmstat.de", "integer",
				"vmstat.sr", "integer",
				"vmstat.m0", "integer",
				"vmstat.m1", "integer",
				"vmstat.m2", "integer",
				"vmstat.m3", "integer",
				"vmstat.in", "integer",
				"vmstat.cs", "integer",
				"vmstat.us", "integer",
				"vmstat.sy", "integer",
				"vmstat.id", "integer"
				
			]
		}
	 }
	}

    filter {
	if [type]  == "performon" {
		csv {
			separator => "	"
			columns => [
				"kthr.r", 
				"kthr.b", 
				"kthr.w", 
				"memory.swap",
				"memory.free",
				"memory.re",
				"page.mf",
				"page.pi",
				"page.po",
				"page.fr",
				"page.de",
				"page.sr",
				"disk.m0",
				"disk.m1",
				"disk.m2",
				"disk.m3",
				"faults.in",
				"faults.sy",
				"cpu.cs", 
				"cpu.us",
				"cpu.sy",
				"cpu.id"
             ]
			 
			 }
			   mutate {
			   convert => [
			   "vmstat.r", "float",
				"vmstat.b", "float",
				"vmstat.w", "float",
				"vmstat.swap", "float",
				"vmstat.free", "float",
				"vmstat.re", "float",
				"vmstat.mf", "float",
				"vmstat.pi", "float",
				"vmstat.po", "float",
				"vmstat.fr", "float",
				"vmstat.de", "float",
				"vmstat.sr", "float",
				"vmstat.m0", "float",
				"vmstat.m1", "float",
				"vmstat.m2", "float",
				"vmstat.m3", "float",
				"vmstat.in", "float",
				"vmstat.cs", "float",
				"vmstat.us", "float",
				"vmstat.sy", "float",
				"vmstat.id", "float"
				]
				
			 }
			 }
			 }
			 
			 
output {
   elasticsearch {
	hosts => "localhost" 
	action => "index"
	index => "vmstat11"
    workers => 1
	}
  stdout {codec => rubydebug}
}

please suggest me

Thanks,
jagan

Hi, your code looks resonable at first look, could you link somehow your sample files and configuration, might be using http://pastebin.com/ , this will help others and me debug your issue more in detail.

On the other side, which version of logstash are you using?

Hi, taking a close look to your config, you assign type == "log" to your events in the input, however in your filter section your do if [type] == "vmstat" and the other one is if [type] == "performon" so your logs will never enter any of this sections. was this a typo when copying ?

Keep in mind that ES 2.0 and later don't support periods in the field names so you'll probably want to go with e.g. vmstat_r instead of vmstat.r.