Nested repeating group

Badger · January 3, 2020, 4:52pm

I would use ruby

    grok { match => { "message" => "%{TIMESTAMP_ISO8601:time} : %{GREEDYDATA:username} %{SYSLOG5424SD:usertype}%{GREEDYDATA:[@metadata][restOfLine]}" } }
    mutate { gsub => [ "[@metadata][restOfLine]", "\r", "" ] }
    mutate { gsub => [ "usertype", "[\[\]]", "" ] }
    ruby {
        code => "
            data = event.get('[@metadata][restOfLine]')
            matches = data.scan(/\n(\S+)\n\s+RED\s+: ([0-9]+)\n\s+BLUE\s+: ([0-9]+)\n\s+GREEN\s+: ([0-9]+)/)
            groups = []
            matches.each_index { |x|
                group = { 'name' => matches[x][0], 'red' => matches[x][1], 'blue' => matches[x][2], 'green' => matches[x][3] }
                groups << group
            }
            event.set('groups', groups)
        "
    }

You may not need the first mutate. And I assume you want red/blue/green, not red/blue/blue, which you cannot have.

Topic		Replies	Views
Need to Parse a nested JSON message in #Logstash Logstash	3	555	October 18, 2022
Parsing custom date with Filebeat (or Logstash) Beats filebeat	3	413	November 22, 2019
Recursive nested documents in elasticsearch Elasticsearch	10	4572	March 6, 2017
Nested JSON data to Logstash Logstash	8	410	December 12, 2022
Formatting data as a block in logstash Logstash	2	259	September 21, 2021

Nested repeating group

Related Topics