Nested key-values parsed with KV

Elitlogik · December 4, 2020, 8:21am

KV works great for parsing my input.

One key-value, however, looks like this:

waninfo="name=wan1,bytes=35911872068/568034814778,packets=135560453/438026267;name=wan2,bytes=0/0,packets=0/0;"

I would like to KV-parse that value into:

    name1:wan1
    bytes_sent1:35911872068
    bytes_received1:568034814778
    packets_sent1:135560453
    packets_received1:438026267
    name2:wan2
    bytes_sent2:35911872068
    bytes_received2:568034814778
    packets_sent2:135560453
    packets_received2:438026267

Depending on the complexity added to filter I would like to:

Parse N iterations (example shows 2, but there could possibly be N)
If 1 is too comples just parse the first iteration and output:

    wan1_bytes_sent:35911872068
    wan1_bytes_received:568034814778
    wan1_packets_sent:135560453
    wan1_packets_received:438026267

Current filter is just like this:

    filter {
     mutate { gsub => [ "message", "^<\d+>", "" ] }
     kv { }
    }

Thank you very much for your support! I'm learning slowly

Badger · December 4, 2020, 3:21pm

Do you really want the values from wan1 copied to wan2? If so, is that unconditional or is there some logic to whether or not it should be done.

I have not tested it but you could try

mutate { split => { "wan_info" => ";" } }
split { field => "wan_info" }
dissect { mapping => { "wan_info" => "name=%{name},bytes=%{bytes_sent}/%{bytes_received},packets=%{packets_sent}/%{packets_recevied}" } }

Elitlogik · December 5, 2020, 8:41pm

Hi,

No, of course not. Just simple logic. I want to take care of the data as Fields in Elastic. It was a mistake to grab the values for wan1 and put into the wan2 fieldas. Wan2 data should all have been 0.

Should I append your code after the kv {} statement, or should it be pasted between the brackets of the kv { your code }?

Thank you very much for your support!

Badger · December 5, 2020, 9:04pm

Remove the kv filter and replace it with the three filters I showed.

Elitlogik · December 5, 2020, 11:07pm

Hmm. I still have a lot of key-value pairs that KV parses and generates fields for just perfectly.

It’s just that one key-value (waninfo) that I would like to parse the value of and create additional fields.

key1=value1 key2=value2 ... waninfo=“ name=wan1,bytes=A1/A2,packets=B1/B2;name=wan2,bytes=C1/C2,packets=D1/D2;” ... keyN=valueN

The wan1_bytes_sent=A1 should be created and on the same level as the other keys key1, key2 etc

Either just grab A1, A2, B1 and B2 and statically produce wan1_bytes_sent field and set it to A1, wan1_bytes_received and set it to A2, or dynamically create (name)_bytes_sent and set it to A1 etc because the number of name=,bytes=,packets= sequence could be infinite or zero.

Thank you for your support!

Badger · December 5, 2020, 11:21pm

In that case add my code after the kv filter.

system · January 2, 2021, 11:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.