Hi -
I have the below message coming to the ELK, and I'd like to parse those values and create a mapping (Key => Value) and add as separate field in Elastic Search.
Please let me know how could I do this.
You'll have to use a ruby filter that loops over the items in the [json][Terminal] field and adds the new fields. Something like this should work:
event.get('[json][Terminal]').each { |h|
event.set(h['Name'], h['Value'])
}
Thanks @magnusbaeck.
That worked, Things I wanted to know:
How do I change the data type of the fields getting created. We'd expect this to be Integer.
And I've a field 
I'd need to split the values with the (Colan(';')) separated and push it to 4 different fields.
I've a ruby script created:
filter {
ruby {
code => "
data = event.get('CpuLoad').split(';')
data.each_index {|i| event[i.to_s]=times[i]
if times[i] == '4'
event['IndexValue'] = event['id'].index(4)}
end
"
}
}
It would be really a great help if you could help me out on this. Thanks !
See https://code-maven.com/convert-string-to-number-in-ruby. Keep in mind that if the destination field exists in ES as a string field you'll have to reindex the current index or create a new index to actually map the field as an integer.
Thanks so much for your quick reply @magnusbaeck.
Could you please help me out with the other question:
And I’ve a field
I’d need to split the values with the (Colan(’;’)) separated and push it to 4 different fields.
I’ve a ruby script created but it doesn't seems to be alright: Could you please have a look:
filter {
ruby {
code => “
data = event.get(‘CpuLoad’).split(’;’)
data.each_index {|i| event[i.to_s]=times[i]
if times[i] == '4’
event[‘IndexValue’] = event[‘id’].index(4)}
end
”
}
}
Thank in advance.
Except that I don't know what times comes from the script looks more or less correct. Replace times[i] with data[i]?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.