Saving a string from an array of strings as a field

rjm61 · January 10, 2018, 4:27pm

I am using a kv filter to split an event message of comma separated values on the coma character to create a string array fa and saving a specific array element as a field as follows

filter {
  kv { # Split comma separated data into an array (fa). 
     field_split => ","
     source => "message"
     target => "fa"
  }
  mutate {
     add_field => { "server-name" => "%{fa[3]}" }
  }
  ...  
}

This always generates the litteral text "%{fa[3]}" as the server-name field value rather than the contents 4th element in the fa array. Please can someone tell me what I am doing wrong?

Later on in an output filter I can embed "%{fa[3]}" in a string to export the same array element to a file using the sprintf forma.. Please can someone tell me what am I missing above?
Logstash version = 5.2.2

guyboertje · January 11, 2018, 11:47am

The KV filter does not work as you expect.

What does your message line look like?

Testing...
Config:

input {
  generator {
    message => "a=foo,b=bar,c=baz"
    count => 1
  }
}

filter {
  kv { # Split comma separated data into an array (fa).
     field_split => ","
     source => "message"
     target => "fa"
  }
  mutate {
     add_field => { "server-name" => "%{fa[3]}" }
     add_field => { "success" => "%{[fa][b]}" }
  }
}

output {
  stdout {
    codec => rubydebug {metadata => true}
  }
}

Result:

{
    "server-name" => "%{fa[3]}",
       "sequence" => 0,
     "@timestamp" => 2018-01-11T11:45:17.575Z,
        "success" => "bar",
       "@version" => "1",
           "host" => "Elastics-MacBook-Pro.local",
             "fa" => {
        "a" => "foo",
        "b" => "bar",
        "c" => "baz"
    },
        "message" => "a=foo,b=bar,c=baz"
}

system · February 8, 2018, 11:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.