Logstash split function

hariskhalique · May 18, 2020, 5:23pm

Hi,
I have this tag fields with value

 Beige, Black, Blue, boohoo, Brown, cat:dresses, DZZ56895, Green, Grey, New Arrivals, Orange, Pink, Purple, Red, subcat:cocktail:cat:dresses, White, women, Yellow, z_global_id:39039

I want to split with "," and then with ":". If array count is more then one odd will be filed name and even will be field value.

I am not sure how because I new to logstash. Please any one can help me.

Thanks in advance.

Badger · May 18, 2020, 5:51pm

You can use a mutate+split filter to convert a string into an array of strings.

It is unclear what you want to do with the fields containing a colon.

hariskhalique · May 18, 2020, 5:56pm

if split with ":" say cat:dresses it become array ["cat", "dresses"]. Then I want "cat" as field and "dresses" as value in ES document.

{
  name: "some product",
  cat : "dresses"
}

name will be other field pull along with this tag field.This how I want to save in elastic search.

Thanks I hope this time is more clear.

Badger · May 18, 2020, 6:09pm

Once you split that you will have an array

[ "Beige", "Black", "Blue", "boohoo", "Brown", "cat:dresses", "DZZ56895", "Green", "Grey", "New Arrivals", "Orange", "Pink", "Purple", "Red", "subcat:cocktail:cat:dresses", "White", "women", "Yellow", "z_global_id:39039" ]

Are you sure that you want to turn that into

[ "Beige", "Black", "Blue", "boohoo", "Brown", { "cat": "dresses"}, "DZZ56895", "Green", "Grey", "New Arrivals", "Orange", "Pink", "Purple", "Red", { "subcat": "cocktail:cat:dresses", "White", "women", "Yellow", {"z_global_id": "39039"} ]

which is an array in which some entries are strings and some are hashes? I am uncertain that elasticsearch will even allow this (you may get a mapping exception), and doubt it will be useable in kibana.

You would have to write a ruby filter.

hariskhalique · May 18, 2020, 6:13pm

I just want to get this

{ "cat": "dresses"}

out of the tags. As I am new I think we have split with "," first then look for hash and then split again with ":" and then create fields and value. Which I am not sure how I can do it in logstash configuration file.

Badger · May 18, 2020, 7:38pm

You will need to use ruby

    mutate { add_field => { "[@metadata][fields]" => "%{message}" } }
    mutate { split => { "[@metadata][fields]" => "," } }
    ruby {
        code => '
            event.get("[@metadata][fields]").each { |x|
                x = x.strip
                matches = x.match(/([^:]+):(.+)/)
                if matches
                    event.set(matches[1], matches[2])
                end
            }
        '
    }

will produce

        "cat" => "dresses",
"z_global_id" => "39039",
     "subcat" => "cocktail:cat:dresses"

system · June 15, 2020, 7:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ambiguous in documentation which describe logstash filter plugin "mutate -> split" Logstash	2	327	February 26, 2019
How to split field value into an array? Logstash	2	3735	September 14, 2020
Logstash Mutate Split doesn't work Logstash	3	712	August 14, 2018
Mutate - Split - datatype remains string Logstash	4	338	December 24, 2019
Logstash text to array conversion Logstash	2	277	February 16, 2021

Logstash split function

Related Topics