Merge data from several csv sources

MickD · December 22, 2020, 12:35pm

Hello,

I'm new to ELK so please apologies if my question is trivial.

I have 3 CSV files with data that I would like to merge.
In each file, each row represent a data which can be father or child of a row in another file(s).

I would like to be able to create a "single" merged object to be send to elastic ( some fields can be null if there is no link between datas)

Note that each file might have field with same names and I should rename it in the result one. I also must do some field addition with date comparison.

I currently succeed to parse one file but I do not found any tips on internet for my need.

My current file content

input {
    file {
            type => "LevelA"
            path => "D:/LevelA.txt"
            start_position => "beginning"
            sincedb_path => "NUL"
        }
      file {
            type => "LevelB"
            path => "D:/LevelB.txt"
            start_position => "beginning"
            sincedb_path => "NUL"
        }
      file {
            type => "LevelC"
            path => "D:/LevelC.txt"
            start_position => "beginning"
            sincedb_path => "NUL"
        }
}
filter {
    csv {
        separator => ","
        skip_header => "true"
        columns => [ "id","startDate", "endDate","msg" ]
    }

}
output {
  elasticsearch {
      hosts => ["localhost:9200"]
      index => "mydata"
  }
    stdout {codec => rubydebug}
 }

ylasri · December 22, 2020, 1:52pm

How you define the unique recod (The parent) from the 3 files ? using only id or a combination of id and startDate ?

MickD · December 22, 2020, 1:57pm

There is a field which handle this ( not set in my exemple ) : child.id to link items between them.

Therefore the "unique record" is a combinaison between the 3 "first ids" which be

X | Y | Z
or
N.A | N.A| Z ( and all possible combination )

What is not possible is to have the same ID for the 3 (ie X | X | X )

ylasri · December 22, 2020, 2:04pm

Could you share a real example of the 3 files ?

MickD · December 22, 2020, 3:16pm

Not the "real" ones but I can simplify them...

High Level

id,Creation_Date,Children.id,
ID_07946,12/11/2020 15:53,ID_06172

MidLevel

id,Creation_Date,Children.id
ID_06172,17/06/2020 18:55,ID_06654
ID_07321,14/01/2020 04:00,ID_09054

Low Level

id,Creation_Date
ID_06654,31/07/2020 11:24
ID_09054,30/04/2020 15:50
ID_04044, 24/04/2020 16:20

system · January 19, 2021, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.