Split an output of a kv filter

arjun_purushotham · June 6, 2019, 3:06pm

Hi

Below is my logstash filter configuration.

filter {
if [type] in [ "apache" , "apache_access" , "apache-access" ] {
grok {
match => [
"message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}",
"message" , "%{COMMONAPACHELOG}+%{GREEDYDATA:extra_fields}"
]
overwrite => [ "message" ]
}
kv {
source => "extra_fields"
field_split => ",/"
}
csv {
source => "extra_fields"
target => "fieldlist"
}

  mutate {
     convert => ["response", "integer"]
     convert => ["bytes", "integer"]
     convert => ["responsetime", "float"]
  }

mutate {
split => {"extra_fields" => "," }
}

  geoip {
     source => "clientip"
     target => "geoip"
     add_tag => [ "apache-geoip" ]
  }
  date {
     match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
     remove_field => [ "timestamp" ]
  }
  useragent {
     source => "agent"
  }

}

How can i Split data of fieldlist even more.
ie,

I want to filter fieldlist.column4 even more till the third occurence of a '/' and store it in a new field.

Badger · June 6, 2019, 11:58pm

Please do not post pictures of text, just post the text. You need to split the field called fieldlist.column4. What is the pattern of the data in that field, and can you provide an example of the data?

Given that you have not shown what the input data looks like, it does not help us to help you for you to show us the rest of your configuration.

arjun_purushotham · June 7, 2019, 6:46am

Hi Badger,
Thanks for the reply.

Input to Field is
careers.azimpremjifoundation.org, 1160476, 200, POST /ApplyJobAPI/applyJobWithCustomFields HTTP/1.1

Here
fieldlist.column1 will have data as careers.azimpremjifoundation.org
fieldlist.column2 will have data as 1160476
fieldlist.column3 will have data as 200
fieldlist.column4 will have data as /ApplyJobAPI/applyJobWithCustomFields HTTP/1.1

My fieldlist.column4 has data's like:

/ccubeAPI/getCompanyConfigurationDetails/15119
/profileAPI/getProfile/1209895
/manage/angular-pages/custom-fields-directive.html
/userAPI/loginAccess
/common-files-v1.0/common-htmls/view-file-template.html
/ccubeAPI/getJobForUrl/teacher-educator-chhattisgarh-india-karnataka-india-madhya-pradesh-india-puducherry-india-rajasthan-india-telangana-india-uttarakhand-india-201901260802088.

So from this I have to Filter fieldlist.column4 data till the third occurence of a '/' and store it in a new field.

Badger · June 7, 2019, 1:15pm

Does

grok { match => { "[fieldlist][column4]" => "^(?<someField>/[^/]+/[^/]+/)" } }

do what you want?

arjun_purushotham · June 7, 2019, 1:25pm

Kudos!!!
This does my work:)
Thank You So much Badger.

system · July 5, 2019, 1:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use split filter on the field using logstash Logstash	5	6148	March 27, 2019
How to stop fields from kv filter splitting Logstash	3	299	March 21, 2019
How to Split the one field into multiple fields using kv plugins Logstash	5	2610	April 11, 2019
Strange behaviour kv field_split Logstash	5	854	April 8, 2020
Key value pair Logstash	2	1760	February 4, 2019

Split an output of a kv filter

Related topics