Single key (field) with multiple values to multiple key (fields) with single fields convertion

Andres_Man · October 17, 2019, 3:25pm

I need to split a log into multiple fields however the log has the same field name for multiple values and when I use the fiedl_split option of kv it will put all the the fields with the same key in the same field. How can I put the values into separate fields with distinct names.

The desire output should be:
pin=12345-0 d=123 A_foo=nice@bar.com B_foo=bobo C_foo=12345.

However what I'm getting right now is:
pin=12345~0 d=123 foo= nice@bar.com, bobo, 1234

//pin=12345~0&d=123&foo=nice@bar.com&foo=bobo&foo=12345 //

// filter { //
// kv { //
// field_split => "&?" //
// } //
// } //

Badger · October 17, 2019, 3:49pm

You could do that using a ruby filter

    kv { field_split => "&" }
    ruby {
        code => '
            foo = event.get("foo")
            foo.each_index { |x|
                event.set("foo-#{x}", foo[x])
            }
        '
    }

Andres_Man · October 17, 2019, 3:50pm

@Badger Thanks, that did the trick.

system · November 14, 2019, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.