Split an event into multiple events

Nikhil_Utane · July 31, 2017, 11:14am

Hi,

I have a following incoming event.I need to extract [custombeat][parameters] fields (highlighted in bold) into multiple events.
i.e. event1: type=lte, status=3
event2: type=cpu, status=0
event3: type=network, status=0
event4: type=memory, status=3
`

[2017-07-31T16:07:36,530][DEBUG][logstash.pipeline ] filter received {"event"=>{"custombeat"=>{"parameters"=>{"lte_status"=>3, "cpu_status"=>0, "network_status"=>0, "memory_status"=>3}}, "@timestamp"=>2017-07-31T10:40:10.447Z, "beat"=>{"hostname"=>"localhost.localdomain", "name"=>"localhost.localdomain", "version"=>"5.5.2"}, "@version"=>"1", "host"=>"localhost.localdomain", "metricset"=>{"rtt"=>6, "module"=>"custombeat", "name"=>"parameters", "host"=>"localhost"}, "type"=>"metricsets", "fields"=>{"document_type"=>"custommetrics"}, "tags"=>["beats_input_raw_event"]}}

`
If required, I can suitably modify the incoming event into a format that is easy to parse/split but ultimately I need them to go into elasticsearch in the format that I have mentioned. I suppose I can use ruby code or split plugin but not able to get it to work.

Thanks
Nikhil

Nikhil_Utane · July 31, 2017, 11:50am

To ask the question more clearly, if I can modify by custombeat module to send the data in this format instead then I should simply be able to use the split filter.

{"summary" : [{ "name": "cpu", "status": "0"}, {"name": "memory", "status": "1"}]}

How to achieve this? Thanks.

system · August 28, 2017, 11:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.