Logstash Grok filters, split and path


I am new to Elastic search. So, can anyone explain me the difference between Split, xpath and Grok filters? and under what situation do we use these?



I did not find an XPath filter in LogStash - did you mean the xml filter?

The filters you named are completely different concepts:
XML-Filter (and the other filters CSV and JSON are made to parse their corresponding formats. If you have one of those formats parsing the document is really easy and no manual step like grok is necessary. Use them whenever possible.

The grok filter can parse unstructured data like log messages by using grok and regular expressions. It is very powerful but can be a bottle neck because of the regular expressions. It is used for unstructured text like logfiles.

I want to add the dissect filter here. It is similar to the grok pattern as it uses a pattern of the message to parse it. The difference between grok and dissect is that dissect does not support regular expressions so it does not support parsing lines that can have different content. This filter should be prefered over grok as its lack of regular expressions makes it faster than grok.

The odd filter here is the split-filter: It does not parse a String into a structured document but it splits a field or an array into separate documents. Have a look at the example from the documentation - if you have a document like this:

{ "field1": "...",
 "results": [
   { "result": "..." },
   { "result": "..." },
   { "result": "..." }
] }

If you use the split filter on this document you can get 3 separate documents looking like this:

{ "field1": "...",
 "results": {
   "result": "..."
} }

Best regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.