I need to match only 4 digit number from field "created:". If there are multiple 4 digit numbers I need to take the biggest and save it back to the field. The problem is that the field can contain strings, dashes, dots, brackets etc. Example:
"created:" "6.2016" -----> leave only 2016
"created:" "c2014" -----> leave only 2014
"created:" "[2010?]" -----> leave only 2010
"created:" "2000, c1994" -----> leave only the biggest one 2000
"created:" "2006 [i.e. 2007]" -----> leave only the biggest one 2007
Can use grok for this something like (?<queue_id>[0-9]{4}).... or conditions in filter if [created] =...
grok will not match the same pattern repeatedly. I use the .scan function of a ruby string to do this You could try
ruby {
code => '
created = event.get("created")
if created
matches = created.scan(/\d{4}/)
# matches will be an array like ["2010"] or ["2000", "1994"]
# Convert the array to integers
matches = matches.map(&:to_i)
event.set("mostRecentYear", matches.max)
end
'
}
That assumes your field name is [created], not [created:]. You can overwrite [created] instead of adding a new field by changing the event.set line.
If you want to restrict the matches to strictly four digit numbers, and not match part of 123456 change the regexp to /\D\d{4}\D/
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.