Split csv column to several fields

eprst · December 10, 2015, 11:17pm

i use logstash to import from csv to elastic. the problem is that one of the fields contains the string formatted as "int|string|string" and i need to parse this and put into nested field. what are possible solutions for this?
Also this field is array

magnusbaeck · December 11, 2015, 7:18am

Sounds like the mutate filter's split option would be a good fit.

eprst · December 13, 2015, 11:25pm

the first problem is that it is array of that strings divided by ", ". the second one is that array should be added as nested objects in elastic and the parts of that string are fields of nested object. i have no idea how i can use split for this.

magnusbaeck · December 14, 2015, 6:36am

Sorry, I don't understand what you're talking about. Describing the problem with examples is usually better than using words. Show us what event you have and what you'd like to achieve.

eprst · December 14, 2015, 8:57am

this column in csv contains the folowing: 1|http://blahblahblah.com|blahblahblah,23|http://anotheraddres.com/|anothertext

magnusbaeck · December 14, 2015, 8:58am

Yes? And what's the expected result?

eprst · December 14, 2015, 9:08am

in es document there is nested field where i want to insert these values, like this:
links
properties:[
{ "link.id":"1",
"link.url":"http://blahblahblah.com",
"link.name":"blahblahblah"
},
{ "link.id":"23",
"link.url":"http://anotheraddress.com/",
"link.name":"anothertext"
}]

magnusbaeck · December 14, 2015, 9:35am

So you want to update a document that already exists and add new JSON objects to an array? That's... not so easy.

eprst · December 14, 2015, 9:47am

No i want to create new document

magnusbaeck · December 14, 2015, 9:58am

Right, but you want each line of the CSV file to build upon each other and in the end result in a single document containing all URL/name pairs found in the CSV file?

Because an input file isn't necessarily read in one pass and potentially could be very large you'd typically implement this by having it create an initial document and update it for each line of the input file.

eprst · December 14, 2015, 9:59am

one line =>one doc

magnusbaeck · December 14, 2015, 11:43am

Okay, now it's all clear. I think you'll have to involve a ruby filter. Untested but should be fairly close:

ruby {
  code => "
    event['links'] = event['message'].split('\\,').collect { |t|
      c = t.split '|'
      {
        'link_id' =>  c[0],
        'link_url' => c[1],
        'link_name' => c[2]
      }
    }
  "
}

Note that Elasticsearch no longer allows periods in field names so I replaced them with underscores. If you want each element of the array to contain a single object with three keys (id, url, name) that's of course doable too.

eprst · December 14, 2015, 12:04pm

thank u very much i will try it later.

eprst · December 14, 2015, 12:05pm

but will it create multiple links for single document?

magnusbaeck · December 14, 2015, 12:14pm

but will it create multiple links for single document?

Yes. I realized that I missed one crucial part earlier. I've updated my previous post so that the list of JSON objects is stored in the links field.

eprst · December 15, 2015, 10:25am

thanks a lot. It works !