I have file which looks like this. I want ship the whole file as an event because I want all the key value pairs (here delimiter is "=") of each file to be part of a single record in Elasticsearch. I am confused about how should I split the event/message and then pass it through the kv filter. Is it possible to split on new line and then send it to kv filter?
Any help regarding this is appreciated. Thanks
Use a multiline codec to consume the entire file as a single event, then use mutate+gsub to discard the headers, then a kv filter.
mutate { gsub => [ "message", "-{82}
[^
]+ Information
-{82}
", "" ] }
kv { field_split => "
" value_split => "=" remove_field => [ "message" ] }This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.