ruby {
code => "
a = event.get('message').split('|').delete_if{|x| !x.match(/=/)}
a.each {|y| b = y.split('=', 2)
event.set(b[0].strip, b[1])
}
event.set('acronym', event.get('acronym').upcase)"
}
To explain my ruby code:
- I had problem with
kvfilter not splitting how it should, so I wrote my own splitter.
This is explained here:
How to handle '=' in values, splitting on | but KV takes over all '=' not only the first - Also I've had problem with uppercase so I wrote my own upercase in ruby.