Split a string to array/list, greedy match

blukit · November 13, 2020, 8:40am

Hi all...
I have a message field that contains multiline string. Need to split it to an array for each line, because will do some logic based on a certain lines. But so far only able to catch the first line.

A simplified log sample

    JSONRestClient : GET Response details: 
    --------------------------------------------
    Response method: GET
    ETag [W/"8e-hDyRewehT0hTestTUAILD4GrqfI"]
    Access-Control-Allow-Origin [*]
    Content-Length [142]
    Date [Wed, 11 Nov 2020 11:00:13 GMT]
    Cache-control [private]
    X-Powered-By [Express]
    Content-Type [application/json; charset=utf-8]
    Response content: {"data":[{"bankCode":"494",{"bankCode":"002","bankName":"BANK XYZ"}],"responseCode":"00","responseDesc":"Success"}

I've tried this config, but only get the first line of log

grok {
match => ["message", "(?[^\r\n]*)" ]
remove_field => ["message"]
break_on_match => false
}

Need it to be

"msg": ["Access-Control-Allow-Origin [*]", " Content-Length [142]", ... ]

Already tried Split filter plugin | Logstash Reference [7.16] | Elastic but don't want to split it as individual event

wangqinghuan · November 14, 2020, 6:06pm

Hi
I believe you should seek mutline support rather than split support as your log sample spans multiple lines.

blukit · December 2, 2020, 10:58am

ok...found it, ruby code

ruby {
code => "
message = event.get("message")
msg = message.split("\n")
event.set("msg", msg)
"
}

system · December 30, 2020, 10:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.