Match multiple values into one field

victor.nilsson · May 15, 2019, 7:48am

Hi,

We want to match multiple values into one field from a single Document/Message.

For example, the following message:

"Testlog, Field1=value1,asdasda,asdasd,asdasd,Field2=value2"

With the following grok patterns:

"Field1=%{WORD:matched_field}" And "Field2=%{WORD:matched_field}".

So we want to create a field, "matched_field" and populate it with values from two matches. Our concern is that if we match on "Field1" it will overwrite the value when it matches "Field2". We simply want to append it and have both matches in a single field. We have set the logstash pipeline to not break on match.

CristianoFerreira · May 15, 2019, 10:02am

Hi,

You could do the following grok patterns:

"Field1=%{WORD:matched_field_1}" And "Field2=%{WORD:matched_field_2}".

And then concatenate like:

mutate {
   add_field => {
      "matched_field" => "%{matched_field_1} %{matched_field_2}"
   }
   remove_field => ["matched_field_1", "matched_field_2"]
}

Best Regards

victor.nilsson · May 15, 2019, 10:52am

I don't think that's really what we are trying to do.

We want to have two values in one field. Like this:
Field1: value1,value2

Badger · May 15, 2019, 12:45pm

No it will not, you will end up with matched_field being an array containing both values.

system · June 12, 2019, 12:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple match in one grok {} Logstash	7	395	September 27, 2020
How to match multiple fields to single value with IF Logstash	1	345	December 4, 2019
How to match multiple field,use multiple field or multiple match or multiple grok Logstash	3	7986	February 18, 2019
Logstash Multiple Grok Add Field Logstash	3	1009	August 24, 2018
Using RegEx for multiple matches to store in single field or dynamic fields Logstash	1	557	November 7, 2018

Match multiple values into one field

Related topics