Logstash line break

Elastic Stack Logstash
1

i have this config with a long line
grok {
match => {
"message" => "%{DATESTAMP:LogDate},%{NUMBER:RamUsedPercent:float},%{NUMBER:CpuPercent:float},%{NUMBER:DiskFreePercentC:float},%{NUMBER:DiskFreePercentD:float},%{NUMBER:ASPRequestExecutionTime:float},%{NUMBER:ASPRequestWaitTime:float},%{NUMBER:ASPRequestCurrent:float},%{NUMBER:ASPRequestQueued:float},%{NUMBER:ASPRequestRejected:float},%{NUMBER:ASPApplicationsPipelineInstanceCount:float},%{NUMBER:ASPApplicationsRequestWaitTime:float},%{NUMBER:ASPApplicationsRequestsFailed:float},%{NUMBER:ASPApplicationsRequestsInApplication Queue:float},%{NUMBER:ASPApplicationsRequestsRejected:float},%{NUMBER:ASPApplicationsRequestsTimedOut:float},%{NUMBER:ASPApplicationsRequestsSec:float},%{NUMBER:AzureQueueLastLiveSessionsDequeueTime:float}"
}

How can i break it like this:

grok {
		match => {
			"message" => "%{DATESTAMP:LogDate},

%{NUMBER:RamUsedPercent:float},%
{NUMBER:CpuPercent:float},
%{NUMBER:DiskFreePercentC:float},
%{NUMBER:DiskFreePercentD:float},
%{NUMBER:ASPRequestExecutionTime:float},
%{NUMBER:ASPRequestWaitTime:float},
%{NUMBER:ASPRequestCurrent:float},
%{NUMBER:ASPRequestQueued:float},
%{NUMBER:ASPRequestRejected:float},
%{NUMBER:ASPApplicationsPipelineInstanceCount:float},
%{NUMBER:ASPApplicationsRequestWaitTime:float},
%{NUMBER:ASPApplicationsRequestsFailed:float},
%{NUMBER:ASPApplicationsRequestsInApplication Queue:float},%{NUMBER:ASPApplicationsRequestsRejected:float},
%{NUMBER:ASPApplicationsRequestsTimedOut:float},
%{NUMBER:ASPApplicationsRequestsSec:float},
%{NUMBER:AzureQueueLastLiveSessionsDequeueTime:float}"
}

2

Because of the formatting of the message it's hard to see any difference between the two samples you posted (hint: use the preview pane to the right to inspect what you're about to post), but I'm assuming you want to be ample to break the otherwise very long line.

It would've been desired with an ability to concatenate string via

"string1" "string2"

or

"string1" + "string2"

but unfortunately I don't think that's possible. The Logstash configuration language just isn't a fully-fledged programming language.

Well, impossible without ugly hacks anyway. You could use a mutate or ruby filter to create a temporary array field with all the comma separated values, join them with an mutate filter, then pass the resulting string to the grok filter.

3

Thanks will work with 1 very long file :slight_smile: