Regarding Mutate Ruby filter

suresh_u · June 29, 2022, 7:16am

I have 1 sample transaction number 10004567-P658910-569876.

I want to seperate above transaction number with index 0 as 1 seperate field and remaining as other field.

Ex: 10004567-P658910-569876
Num_field = 10004567
Remaining_field = P658910-569876

I tried using mutate split method. I am unable to loop over array.
Below is the snippet I have tried:

mutate {
split => { "doc_number" => "-" }
ruby {
** code => '**
** ids = event.get("doc_number")**
** ids.each_with_index do |value, index|**
** if index[0]**
** event.set("[doc_number]",value)**
** end **
** end**
** '**
** }**
}

Could you please @magnusbaeck help me out?

Thanks.

preetish_P · June 29, 2022, 9:25am

Hi @suresh_u ,

I would use the below approach for this:

grok { match => ["doc_number","%{GREEDYDATA:field1}-%{GREEDYDATA:temp_field1}-%{GREEDYDATA:temp_field2}"] 
add_field => { "field2" => "%{temp_field1}%{temp_field2}" }}

suresh_u · June 29, 2022, 9:49am

thanks @preetish_P I will try

system · July 27, 2022, 9:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.