Logstash filtering iterating over list

I am trying to parse the following format of logs, starting value is a hostname, and the ending is timestamp always.

blb12bkl4, data1 value1, data2 value2, data3 value3, 1594216629094

and the final format for output should be :

        {
           host: "blb12bkl4",
           timestamp: 1594216629094,
           datalist: [
                {
                      data: "data1",
                      value: "value1"
                },
                {
                      data: "data2",
                      value: "value2"
                },
                {
                      data: "data3",
                      value: "value3"
                }
           ]
        }

And one more thing, in logs data[I] value[I] can be of any number of times, but always one or more like:

blb12bkl4, data1 10, data2 20, 1594216629094
blb12bkl4, data1 10, data2 20, data3 30, 1594216629094
blb12bkl4, data1 10, data2 20, data3 30, data4 49, 1594216629094

So for the starter I used grok and split:

filter{
   grok{
     match=>{ "message" => "(?<hostname>[a-zA-Z0-9]+(?=,)),\s(?<datalist>([a-zA-Z0-9]+\s[0-9]+,\s)+))\s(?<timestamp>[0-9]+)" }
   }
   mutate {
     split => {"datalist" => ", "}
   }
 }

so after this, I have data as

    {
       host: "blb12bkl4",
       timestamp: 1594216629094,
       datalist: [ "data1 value1",  "data2 value2", "data3 value3"]
    }

can anyone pls help in iteration over this datalist and make the output in the required format.

Thanks in Advance.

I would not use the split option of the mutate filter. I'd use a KV filter with field_split at commas and value_split at spaces. Then I would iterate over the results with Ruby.

i = 0
event.get('kv_result').each { |key,value|
  event.set('[datalist]['+i.to_s+'][data]', key)
  event.set('[datalist]['+i.to_s+'][value]', value)
  i++
}

(I didn't test it. But something like this might work.)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.