Hello,
I'm trying to parse multiple items in one line. My grok pattens match but logstash are outputting the data as arrays; How can i make the output look the where are two lines?
input data:
2021-11-01 14:09:34 CET Address: 2a03:1234:1234:4::142 has been assigned for 7257600 seconds to a device with DUID: 00:03:00:01:00:1e:80:ec:8a:f4 connected via relay at address: fe80::21e:80ff:feec:8af4 for client on link address: 2a03:1234:1234:4::1, connected at location interface-id: 61:65:33:32:30:3a:32:36:36:39:2d:34Prefix: 2a03:1234:1234:1900::/56 has been assigned for 7257600 seconds to a device with DUID: 00:03:00:01:00:1e:80:ec:8a:f4 connected via relay at address: fe80::21e:80ff:feec:8af4 for client on link address: 2a03:1234:1234:4::1, connected at location interface-id: 61:65:33:32:30:3a:32:36:36:39:2d:34
I've created two grok patterns to match the input:
%{TIMESTAMP_ISO8601:time} .* Address: .* has been .* for .* seconds to a device with DUID: .* connected via relay at address: .* for client on link address: .* connected at location interface-id: .*Prefix: %{GREEDYDATA:client_ip} has been %{WORD:action} for %{INT:leasetime} seconds to a device with DUID: .* connected via relay at address: .* for client on link address: .* connected at location interface-id: (?<interfaceid>[0-9a-f]{2}(:[0-9a-f]{2})*)
%{TIMESTAMP_ISO8601:time} .* Address: %{GREEDYDATA:client_ip} has been %{WORD:action} for %{INT:leasetime} seconds to a device with DUID: .* connected via relay at address: .* for client on link address: .* connected at location interface-id: (?<interfaceid>[0-9a-f]{2}(:[0-9a-f]{2})*)
My issue is the output is an array:
{
"client_ip" => [
[0] "2a03:1234:1234:4::142 has been assigned for 7257600 seconds to a device with DUID: 00:03:00:01:00:1e:80:ec:8a:f4 connected via relay at address: fe80::21e:80ff:feec:8af4 for client on link address: 2a03:1234:1234:4::1, connected at location interface-id: 61:65:33:32:30:3a:32:36:36:39:2d:34Prefix: 2a03:1234:1234:1900::/56",
[1] "2a03:1234:1234:1900::/56"
],