i have my log something like this :
May 23 2018 06:32:47 GMT: INFO (xdr): (xdr.c:607) [030]: dc-state CLUSTER_UP timelag-sec 0 lst 1527057166864 mlst 1527057166864 (2018-05-23 06:32:46 GMT) fnlst 0 (-) wslst 0 (-) shlat-ms 1 rsas-ms 0.000 rsas-pct 0.0 con 384 errcl 502 errsrv 1182 sz 6
i parsed it using grok filter and i have something called list_field value.
list_field_value = dc-state CLUSTER_UP timelag-sec 0 lst 1527057166864 mlst 1527057166864 (2018-05-23 06:32:46 GMT) fnlst 0 (-) wslst 0 (-) shlat-ms 1 rsas-ms 0.000 rsas-pct 0.0 con 384 errcl 502 errsrv 1182 sz 6
it is a combination of field and value.
here dc-state is a field and CLUSTER-UP is its respective value and so on.
now i am using ruby filter in logstash to split list_field_value into two arrays: one category fieds and other category_field_values.
now i want to ignore two types of values while spiltting : one is (2018-05-23 06:32:46 GMT) like timstasmp and other is (-).
i tried splitting on the basis of \s but then these two fields are also coming and timestamp is breaking and getting splitted and some part of it is coming in category_field and somepart in category_field_values. i defined a regex for the above timestamp and put it under split but its not working.
here is my ruby code
ruby {
code => '
i = 1
category_fields = []
category_fields_values = []
a = event.get("list_field_value").split((/\(%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}:?%{SECOND}\s*[G][M][T]\)|\(-\)|\s)/).each { |v|
i = i+1
if i % 2 == 0
category_fields << v
else
category_fields_values << v
end
}
}