Hi, I try to retrieve one key in my message,
if this key existe not add, else add key.
I try this code :
ruby {
code => '
size = event.get("262")
tata= event.get("50")
if event.get("50").nil?
event.set("size", size)
end
'
}
It is working, but I don't have value in field. I have nil .
Please I need helps.
Thanks.
Hi,
I think you can use if statement like this:
if ![50]{
mutate{
add_field => {"size" => %{262}}
}
}Hi shin-higuchi,
Thanks for your reply.
It does not work. It is not a field but a key in the message.
So, which format is your original input log?
JSON? CSV? Plain text?...
Could you paste sample here?
ok, my original input is :
2017-05-22 13:50:00.000 INFO names1 - X < 8=fac|9=154|35=V|34=9||50=Good|262=lsrx5248|263=0|264=0|265=0|146=1|269=0|269=1|10=014
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
2017-05-22 14:50:00.000 INFO names2 - X < 8=fac|9=154|35=V|34=9||50=BAD|262=lsyx48|263=0|264=0|265=0|146=1|269=0|269=1|10=014
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214
2019-05-22 14:50:08.000 INFO names2 - Q > 8=fac|9=5|262=lsyx48|0=214
filter {
grok {
match => ["messages","(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}.[0-9]{3}) %{WORD:loglevel} %{WORD:A} - %{WORD:B} (.)(<|>) %{GREEDYDATA:C }"]
}
if "_grokparsefailure" in [tags] {
drop {}
}
kv {
source =>"C"
field_split=>"|"
value_split => "="
}
mutate {
remove_field => ["path","@version","version","message","type","host","loglevel"]
rename => {
"50" =>"Who"
"262" =>"id"
....
}
add_field => { "message_out" => "%{date},%{A},%{B},%{C}" }
}
}
output {
elasticsearch {
hosts => "xx.xx.xx.xx:9200"
index => "tata-%{+YYYY.MM.dd}"
}
Now :
if you notice, x send you a type 50 and an id 262.
And Q answers on 262 and in Q, we do not have 50.
Basically they communicate on id 262.
So the goal is whenever X sends a type and an id, Q also responds to him with the id and the type that goes with it. .
Basically, I want to retrieve 50 and 262 for each message in Q.
Thanks for you help.
Thank you MamBarry.
Actually I don't understand this point
It is not a field but a key in the message.
If you use kv filter, keys in your original message (ex. "50", "262") should be parsed as fields .
I guess my first code should work in this case.
Thanks.
ok, my source is C, then I split this C in KV, after finish that, I have 50 et other key.
examples 1 in this type messages : X < 8=fac|9=154|35=V|34=9||50=Good|262=lsrx5248|263=0|264=0|265=0|146=1|269=0|269=1|10
output : 50 and 262.
example 2 in this type messages : 2017-05-22 13:50:08.000 INFO names1 - Q > 8=fac|9=4|262=lsrx5248|0=213
output : juste 262.
Basically, I want for each messages retrieved 50 and 262.
sorry I'm not better in english.
I want to get the 50 that corresponds to the id 262 for each messages.
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.