Match multiple values into one field

victor.nilsson · May 15, 2019, 7:48am

Hi,

We want to match multiple values into one field from a single Document/Message.

For example, the following message:

"Testlog, Field1=value1,asdasda,asdasd,asdasd,Field2=value2"

With the following grok patterns:

"Field1=%{WORD:matched_field}" And "Field2=%{WORD:matched_field}".

So we want to create a field, "matched_field" and populate it with values from two matches. Our concern is that if we match on "Field1" it will overwrite the value when it matches "Field2". We simply want to append it and have both matches in a single field. We have set the logstash pipeline to not break on match.

CristianoFerreira · May 15, 2019, 10:02am

Hi,

You could do the following grok patterns:

"Field1=%{WORD:matched_field_1}" And "Field2=%{WORD:matched_field_2}".

And then concatenate like:

mutate {
   add_field => {
      "matched_field" => "%{matched_field_1} %{matched_field_2}"
   }
   remove_field => ["matched_field_1", "matched_field_2"]
}

Best Regards

victor.nilsson · May 15, 2019, 10:52am

I don't think that's really what we are trying to do.

We want to have two values in one field. Like this:
Field1: value1,value2

Badger · May 15, 2019, 12:45pm

No it will not, you will end up with matched_field being an array containing both values.

Topic		Replies	Views
Accidentally Getting duplicate values in field Logstash	2	1036	March 1, 2019
Field with duplicate values, keep only one Logstash	1	430	December 11, 2019
How to match multiple field,use multiple field or multiple match or multiple grok Logstash	3	8128	February 18, 2019
How to Grok a pattern into multiple field names Kibana	3	429	October 28, 2019
I cant set values in new fields Logstash	2	465	February 11, 2020

Match multiple values into one field

Related topics