I need help in splitting the value in message field and update the result in the remaining respective fields.
I have a row data in .csv file in the following format:
"NA","GIXRG051/Genpact/Consultant","5/1/2020 2:10","5/1/2020 2:12","5/1/2020 2:12","RIXRM006","NA","NA","NA","NA","NA","NA","NA","NA","NA","NA","NA","NA","NA","FSC JE EMEA/FSC/PL","RE: 453-santander 27","453 Santander 27 Apr 2020.xlsx","Not Valid","1:20","Exception","Business Exception","Template does not contain Sheetname "JE"","","","NA"
I have created .conf file with the following filter configurations:
filter {
if [message] =~ /^Debit Amount/ {
drop {}
}
csv{
separator => ","
columns => [ "Debit_Amount", "Sender_Email", "Received_Time", "Email_Sent_Time", "Date", "BOTID", "Company_Number", "Doc_Type", "GL_Date", "Explanation", "Ledger_Type", "Currency", "Exchange_Rate", "Reversal", "JE_Type", "JE_Preparer_User_Email", "Company_Name", "Region", "Posting_Period", "SourceFolder", "Email_Subject", "JE_File_Name", "Is_Template_Valid", "Process_Time", "Status", "Exception_Type", "Exception_Details", "ScreenShotPath", "ScreenShot_Name", "Potential_Duplicate_Identified"]
add_field => { "test_process_status" => "Tested"}
}
if [test_process_status] == "Tested"{
mutate {
add_field => {
"log_status" => "Successful"
}
}
}
else if [test_process_status] != "Tested"{
mutate {
add_field => { "log_status" => "Failure" }
add_field => { "temp_message" => "Parse Failure" }
copy => {"message" => "temp_message"}
}
}
But at the end it is providing _csvparsefailure especially for the type of logs as mentioned above which has one of the column data consisting of "" as special characters.
I need help in splitting the values stored in message field and update the obtained results in the respective columns.
I would acknowledge if any other method is effective for this issue.
Thank you