Match multiple values into one field

victor.nilsson · May 15, 2019, 7:48am

Hi,

We want to match multiple values into one field from a single Document/Message.

For example, the following message:

"Testlog, Field1=value1,asdasda,asdasd,asdasd,Field2=value2"

With the following grok patterns:

"Field1=%{WORD:matched_field}" And "Field2=%{WORD:matched_field}".

So we want to create a field, "matched_field" and populate it with values from two matches. Our concern is that if we match on "Field1" it will overwrite the value when it matches "Field2". We simply want to append it and have both matches in a single field. We have set the logstash pipeline to not break on match.

CristianoFerreira · May 15, 2019, 10:02am

Hi,

You could do the following grok patterns:

"Field1=%{WORD:matched_field_1}" And "Field2=%{WORD:matched_field_2}".

And then concatenate like:

mutate {
   add_field => {
      "matched_field" => "%{matched_field_1} %{matched_field_2}"
   }
   remove_field => ["matched_field_1", "matched_field_2"]
}

Best Regards

victor.nilsson · May 15, 2019, 10:52am

I don't think that's really what we are trying to do.

We want to have two values in one field. Like this:
Field1: value1,value2

Badger · May 15, 2019, 12:45pm

No it will not, you will end up with matched_field being an array containing both values.

system · June 12, 2019, 12:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.