Simple Split filter

Lebedev · April 4, 2019, 9:29am

Hello! Dear collegues, need your help!
I have the input log

09:00:00.023|SMSG|***|ROUTING begin
FLD_029 **
VALIDITY_FLAG T
TIME_STAT |POS_ISO

09:00:00.024|DEBG|***|proc_new_msg()
FLD_029 **
VALIDITY_FLAG F
TIME_STAT |POS_ISO_IN_E-21600.06876

Every paragraph i want write to the one event, well i see that every paragraph separate "\n\n"

I right the folowing conf:

beats {

port => 5055
host => "**.**.**.**"
tags => ["gateway_ssl"]
}

filter {

if "gateway_ssl" in [tags] {

    mutate {"message", \n, " ; "}
split {
terminator => "\n\n"
add_tag => ["mutated"]	
}
 }

}

if "gateway_ssl" in [tags] {
elasticsearch {
hosts => "localhost:9200"
index => "gateway_ssl-%{+YYYY.MM.dd}"
}}

What am i do wrong? Could you help me correct my config?
Thank you a lot!

Badger · April 4, 2019, 12:00pm

Are you consuming the entire file as a single event?

Lebedev · April 4, 2019, 12:34pm

Hi, Badger! Glad to hear you)
No, not all file as single event. Just paragraph betwee two \n\n

Exm:
1 event:
09:00:00.023|SMSG|***|ROUTING begin
FLD_029 **
VALIDITY_FLAG T
TIME_STAT |POS_ISO

2 event:
09:00:00.024|DEBG|***|proc_new_msg()
FLD_029 **
VALIDITY_FLAG F
TIME_STAT |POS_ISO_IN_E-21600.06876

After i will to need grok every event, i have prepered config

grok {
match => {
"message" => [
"%{TIME:time_transaction}|%{DATA:INFO}|%{NUMBER:number}|%{GREEDYDATA:type_transaction}",
"FLD_029: %{NUMBER:FLD_029_value}",
"VALIDITY_FLAG: %{WORD:VALIDITY_FLAG_value}",
"LOCALITY_FLAG: %{WORD:LOCALITY_FLAG_value}",
"RSW_CAPTURE_FLAG: %{WORD:RSW_CAPTURE_FLAG_value}"]}

   add_tag => [ "grokked" ]}

Badger · April 4, 2019, 12:47pm

If you completely remove the filter {} section and use stdout { codec => rubydebug } as the output then what does a single event look like?

Lebedev · April 12, 2019, 2:10pm

Well, i tried to delete all filter configuration.
And added stdout rubydebuger, now i see that every line its the single event. Its not i need((
But every event have the tag: beats_input_codec_plain_applied
Is it Ok?
Maybe i have another solutions to this task?

system · May 10, 2019, 2:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split an event into multiple events Logstash	2	786	August 28, 2017
Splitting an event into multiple documents Logstash	5	4025	January 31, 2018
Using split filter to break multi-line messages into separate (single-line) events Logstash	3	3047	July 25, 2019
Logstash filter : Split plugin doesn't seems to work Logstash	9	5639	July 6, 2017
Help with Split Filter Logstash	4	227	July 6, 2021

Simple Split filter

Related topics