Spilt an Event Into 2

Nastooh · December 15, 2016, 9:33pm

Hi
I've been looking at similar QA on similar topic, and couldn't find an applicable answer. I think I have a simple case, i.e., I get records of form:
who="Mr. boo", A1=v1,A2=v2
and what I would like to get are 2 records:
{who:"Mr. boo",
A_type:A1,
A_val:v1}
{who:Mr. boo",
A_type:A2,
A_val:v2}
My initial attempt was to use 2 grok filters:
who=%{DATA:who},%{DATA:A_type}=%{NUMBER:A_val},%{GREEDYDATA:skip}
who=%{DATA:who},%{GREEDYDATA:skip},%{DATA:A_type}=%{NUMBER:A_val}

This gives me:
{who:["Mr. boo","Mr. boo"],
A_type:[A1,A2],
A_val:[v1,v2]}
I not sure how to split these arrays into separate events.
Setup: LS 2.2.4, ES:2.4.1(Lucene:5.5.2) and Kibana:4.4.2
Cheers,

warkolm · December 15, 2016, 10:17pm

Use the clone filter, then drop fields accordingly.

Nastooh · December 15, 2016, 11:47pm

Thank you Mark. Would this go something like this:
clone {
clones => [ "message", "Event_1" ] //To preserve the original event
}
clone {
clones => ["Event_2"] // Clone it
}
//Process individually
grok{
match => {"Event_1"=>"who=%{DATA:who},%{DATA:A_type}=%{NUMBER:A_val},%{GREEDYDATA:skip}"}
}
grok{
match => {"Event_2"=>"who=%{DATA:who},%{GREEDYDATA:skip},%{DATA:A_type}=%{NUMBER:A_val}"}
}
Cheers,

Topic		Replies	Views
Splitting an event into multiple documents Logstash	5	4131	January 31, 2018
Transforming data array to multiple event copies Logstash	3	354	December 13, 2019
Splitting multiple arrays in Logstash to create multi events Logstash	4	1857	July 29, 2019
Help with Split Filter Logstash	4	267	July 6, 2021
How to split array field in json and send it as separate event Logstash	3	377	October 3, 2019

Spilt an Event Into 2

Related topics