@elasticforme
yes. I checked it. I also did the same thing but it did not work,
Is there anything missing? Could you please check at your end ?
my conf file
mutate {
split => ["message","#"]
add_field => {"part1" =>"%{[message][0]}"}
add_field => {"part2" =>"%{[message][1]}"}
strip => [ "part1"]
strip => [ "part2"]
}
mutate {
split => ["part1","="]
add_field => {"partA" =>"%{[part1][0]}"}
add_field => {"partB" =>"%{[part1][1]}"}
strip => [ "partA"]
strip => [ "partB"]
}
mutate {
split => ["part2","="]
add_field => {"partC" =>"%{[part2][0]}"}
add_field => {"partD" =>"%{[part2][1]}"}
strip => [ "partC"]
strip => [ "partD"]
}
Result : It did not remove spaces.
{
"message" => [
[0] "myapp.myproject.notice.student.request-time = 2019-12-13 12:37:01.4 ",
[1] " myapp.myproject.notice.student.response-time = 2019-12-13 12:37:19.276"
],
"partA" => "myapp.myproject.notice.student.request-time ",
"partD" => " 2019-12-13 12:37:19.276",
"@timestamp" => 2019-12-19T16:45:18.527Z,
"@version" => "1",
"part1" => [
[0] "myapp.myproject.notice.student.request-time ",
[1] " 2019-12-13 12:37:01.4 "
],
"partC" => " myapp.myproject.notice.student.response-time ",
"part2" => [
[0] " myapp.myproject.notice.student.response-time ",
[1] " 2019-12-13 12:37:19.276"
],
"partB" => " 2019-12-13 12:37:01.4 ",
"host" => "ip-xx-0-0-xx"