Parsing the string with not specific delimeters

saisn · November 21, 2016, 8:20am

I have a field which is of type string and holds a log data from which i need to identify specific fields as below. what could be the best way to do this when string doesn't have a fixed delimiter

"Log": "2016-01-01T00:00:12|DEBUG|89ID:701Task':
ID=701125351 wayID=666 iceID=688 UID=733008 MID=00D089DE DName=null
......................................

the data above is stored in a field called outputdata. I have to read a field like UID=733008 from it. Is there a way in logstash that can read the matching words as UID and save that UID field in a index.

Christian_Dahlqvist · November 21, 2016, 8:33am

Use a grok filter to first parse out all the fields up to and including the colon. Parse and store the rest in a variable using a GREEDYDATA pattern. You can then apply a kv filter to parse the key-value list.

saisn · November 21, 2016, 8:47pm

i dont have a fixed length delimiter here some has tab some has few spaces. In kv the default delimeter is " ". how can i fix in such a situation

Christian_Dahlqvist · November 21, 2016, 9:11pm

You could perhaps pre-process the kv list with a mutate gsub filter to replace all tabs with spaces?

saisn · November 22, 2016, 6:05pm

Sorry, but 'tab' is not a delimiter here.
The delimiter is actually some variable number of spaces.

system · December 20, 2016, 6:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.