Hi all,
sorry if topic has already been discussed, but I could not find a fitting example:
I've a log with the following structure:
message: {PROF_ID":"P_CUSTOMER","action":"USERROLE","USR_COMP":"0xx","USER_DN":"cn=TEST TEST,ou=externalUsers,o=XXX","USR_EMP_ID":"E00XXX","FILTERS":[{"USR_PROF_FILT_VAL":"IT0XXXXX","FILT_ID":"XXX_CLI_FAT"},{"USR_PROF_FILT_VAL":"0XX","FILT_ID":"XXX_COMPANY"}]}
I've correctly parsed the first part with a json filter, the problem is the part after the "FILTERS"
I've used a split filter:
split { field => "[MessageJ][FILTERS]"}
}
and it creates a couple of events, with the following structure:
MessageJ.FILTERS.FILT_ID => XXX_COMPANY
MessageJ.FILTERS.USR_PROF_FILT_VAL => 0xx
and:
MessageJ.FILTERS.FILT_ID => XXX_CLI_FAT
MessageJ.FILTERS.USR_PROF_FILT_VAL => ITXXXXXX
I'd like to obtain something like:
MessageJ.FILTERS.XXX_COMPANY => 0xx
MessageJ.FILTERS.XXX_CLI_FAT => ITXXXXXX
So only a couple of values, no 2 different events. Also because in that way I lose correlation between data.
is that possible?
thanks a lot