Multisplit

Elastic Stack Logstash
1

Good afternoon,

I have log with : and - for separate information.
I want to select information between : and -

I try with ruby

ruby {
code => "event.set('source', event.get('origine').split(':')[1])";
event.set('INFO', event.get('origine').split('\W+/')[1]);
"
}

and I try with a script field

def test0 = /^.*.(-?+)$/.matcher(doc['source'].value);

if ( test0.matches() ) {
return test0.group(0)
} else {
return "no"
}

But nothing is good.

Thank's for your help.

2

Could you give an example for the value of origine and the text you'd like to extract from it?

I think a grok with a pattern like %{GREEDYDATA:firstpart}:%{GREEDYDATA:secondpart}-%{GREEDYDATA:thirdpart} (But ideally more specific patterns than GREEDYDATA) should do it.

3

ID: TOTO - HOME - ROOM DIALED_DIGITS: 22

4

And what should the event fields extracted from that look like?

5

I would like extract TOTO

6

:\s?(?<yourinfo>[^-]*[^\s])\s?- would work.

7

on regex ruby or with grok ?

8

That should actually work for both as it's just normal regular expression, I guess.

9

Sorry but I try

ruby {
code => "event.set('source', event.get('origine').split(':')[1])";
event.set('INFO', event.get('origine').split(':\s?[^-]*[^\s])\s?-);
"
}

And I search when use
mutate filter
ruby
script field

Thank's for your help

10

It 's possible a solution with

ruby {
code => "
info = event.get['origine'].split(':')
['source'] = info[1]
info.each_index { |i| event[i.to_s] = info[i]
country = info[1].split('-')
event.set['Country'] = country[0]
"

11

ruby {
code => "
info = event.get('origine').split(':')[1]
event.set('source', info)
country = event(info).split('-')[0]
event.set('Country', country)
"
}

I have an issue for split a second time

12

I try a regex ruby \W for all metacharacter.

but when I try
ruby {
code => "
info = event.get('origine').split(':')[1]
event.set('source', info)
country = event.get('origine').split('\W')[1]
event.set('Countrysorigne', coutry)
"
}

I have no error and I have same message origine and Coutryorigine

13

Hello,
How I use :\s?(?[^-]*[^\s])\s?-

I try

event.get('origine).split(:\s?(?[^-]*[^\s])\s?-)
event.set('Origine1',info)

But I have an issue :
"Could not execute action: LogStash::PipelineAction::Create/pipeline_id:main, action_result: false", :backtrace=>nil}

14

If you are referring to my regex: That wasn't meant to be used as a separator for a split, but as an expression for grok or a ruby match function to directly extract TOTO into a field called yourinfo.
(And the code you posted is missing one ' as well was the // around the regex. That's probably why it is not only not working, but throwing an error.)

15

Solution is similar to ?

country = match(//:\s?(?[^-]*[^\s])\s?-)//)

It's possible to send me an example for use a a param for write result.

Thank you

16

Ruby:

if result = event.get("origine").match(/:\s?(?<yourinfo>[^-]*[^\s])\s?-/)
    event.set("thatswhatyouwantedtoextract", result[:yourinfo])
end

Grok:

grok {
    match => { "message" => ":\s?(?<thatswhatyouwantedtoextract>[^-]*[^\s])\s?-" }
}
17

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.