Process single data to apply multiple split and store as array

karthick2020 · June 23, 2020, 5:36am

Hi Team,
I am looking for clarifications on below
sample log: 30338 /opt/IBM/WebSphere/AppServe 19.1 1.3~ 4609 /opt/BESClient/bin/BESClien 0.2 0.4~20235 /opt/IBM/WebSphere/AppServe 18.8 0.3~ 354 /opt/IBM/WebSphere/AppServe 11.2 0.1~ 5193 /opt/IBM/WebSphere/AppServe 2.9 0.1~23920 /opt/IBM/WebSphere/AppServe 4.3 0.1~30811 /opt/Tanium/TaniumClient/Ta 0.7 0.1

grok filter: %{GREEDYDATA:process}

my output:
"process": [
[
"30338 /opt/IBM/WebSphere/AppServe 19.1 1.3~ 4609 /opt/BESClient/bin/BESClien 0.2 0.4~20235 /opt/IBM/WebSphere/AppServe 18.8 0.3~ 354 /opt/IBM/WebSphere/AppServe 11.2 0.1~ 5193 /opt/IBM/WebSphere/AppServe 2.9 0.1~23920 /opt/IBM/WebSphere/AppServe 4.3 0.1~30811 /opt/Tanium/TaniumClient/Ta 0.7 0.1~ 1 init [3] 0.0 0.0~ 2 [migration/0] 0.0 0.0~ 3 [ksoftirqd/0] 0.0 0.0~ 4 [migration/1] 0.0 0.0~ 5 [ksoftirqd/1] 0.0 0.0~ 6 [events/0] 0.0 0.0~ 7 [events/1] 0.0 0.0~ 8 [khelper] 0.0 0.0"
]
]

Now I want to apply multiple split
1st split using "~" & write to array type field - "process_tmp"
mutate {
copy => { "process" => "process_tmp" }
}
mutate {
split => { "process_tmp" => "~ " }
}

sample output for process_tmp field:
30338 /opt/IBM/WebSphere/AppServe 19.1 1.3,4609 /opt/BESClient/bin/BESClien 0.2 0.4

2nd split using " " (space) and store it to defined array for all entries.
mutate {
split => { "process_tmp" => " " }
add_field => { "system_proc_pid" => "%{[process_tmp][0]}" }
add_field => { "system_proc_name" => "%{[process_tmp][1]}" }
add_field => { "system_proc_mem" => "%{[process_tmp][2]}" }
add_field => { "system_proc_cpu" => "%{[process_tmp][3]}" }
}

expected final output:
system_proc_pid = 30338, 4609
system_proc_name = /opt/IBM/WebSphere/AppServe, /opt/BESClient/bin/BESClien
system_proc_mem = 19.1, 0.2
system_proc_cpu = 1.3, 0.4

Is this feasible?. I tried above and get actual output as below
system_proc_pid = 30338 /opt/IBM/WebSphere/AppServe 19.1 1.3
system_proc_name = 4609 /opt/BESClient/bin/BESClien 0.2 0.4
system_proc_mem = 20235 /opt/IBM/WebSphere/AppServe 18.8 0.3
system_proc_cpu = 354 /opt/IBM/WebSphere/AppServe 11.2 0.1

karthick2020 · June 25, 2020, 4:28pm

Hi Team,
Please ignore this. I have found solution and implemented for my project.

system · July 23, 2020, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.