abu.sayeed
December 24, 2020, 6:38am
1
Logs like this:
topic = abc, partition = 2, offset = 4386, serialized key size = -1, serialized value size = 1139, key = null, value = {"Name":"pc-1","test":false,"message":"elk test - Your pc-1 better. Thank you.","Count":1,"valid":true,"includeResend":false,}
My logstash config file looks like below:
kv {
Fields look like below:
But I need fields below:
topic = abc
So I wish help to solve this. Thanks.
fadjar340
December 24, 2020, 8:44am
2
Better you use Dissect to archive what you want.
"dissect": {
"mapping" => {
"message" => "%{*topic} = %{&topic}, %{*partition} = %{&partition}, %{*offset} = %{&offset}, %{*serialized_key->} = %{&serialized_key}, %{*serialized_value->} = %{&serialized_value}, %{*key} = %{&key}, %{*value} = %{&value->}"
}
}
Badger
December 24, 2020, 4:34pm
3
You could also use grok to pull out [value], then mutate+gsub to remove it before running the message through the kv filter.
grok { match => { "message" => "value = %{DATA:value}$" } }
mutate { gsub => [ "message", "value = .*$", "" ] }
kv ...
fadjar340
December 25, 2020, 8:25am
4
@Badger
Badger
December 25, 2020, 4:03pm
5
No way to know for sure without benchmarking it. In general dissect has much less functionality so it tends to be cheaper. If grok has to do a lot of back-tracking it can be really expensive (hence the default 30 second time limit to match a pattern), but I would expect a pattern that is anchored at the beginning (by "value =") and then captures the rest of the string to be cheaper than most groks.
ylasri
December 25, 2020, 4:10pm
6
Here is an article that give an idea
2 Likes
abu.sayeed
December 27, 2020, 10:00am
8
Wow its working better. Thanks all for helping me.
1 Like
system
January 24, 2021, 10:00am
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
