Hi, I have several text strings with separator patterns that I would like to be able to ingest as objects in elasticsearch, these strings are of the style:
(a) text|text
b) number text|number text
c) mailto:text@text | mailto:text@text
I have tried mutate split in cases A and C,
for case C I have tried kv { value_split => "|" field_split => " " source => "a" target => "a" },
I have also tried for case A ruby { code => "event.get('A').split('|')" }, I can't get it to work in any case 
Any hints or step by step guide you can think of?
Are you looking to do something like this? You can ingest them as an array like this.
Conf
input {
generator {
lines => [
'[{ "test": "text1|text2" }, { "test2": "12|154" }, { "test3": "text2@text2|text@text" }]'
]
count => 1
codec => "json"
}
}
filter {
mutate {
split => ["test", "|"]
split => ["test2", "|"]
split => ["test3", "|"]
}
}
output {
stdout { codec => json_lines }
}
Output
{
"@version": "1",
"test": ["text1", "text2"],
"@timestamp": "2021-03-16T13:36:49.215Z",
"host": "Aarons-MBP.domain",
"sequence": 0
} {
"@version": "1",
"test3": ["text2@text2", "text@text"],
"@timestamp": "2021-03-16T13:36:49.215Z",
"host": "Aarons-MBP.domain",
"sequence": 0
} {
"@version": "1",
"host": "Aarons-MBP.domain",
"@timestamp": "2021-03-16T13:36:49.215Z",
"sequence": 0,
"test2": ["12", "154"]
}
I'm gonna try (thanks!) but not sure how, sorry, my mistake, all strings are fiels coming froma csv file.
More info:
- I want to split emails strings like: mailto:name@domain.tld to get domain.tld in a new field. and also, if possible, user part, without "mailto:".
- I have string like: string1|string2 (that may have, 1, 2, 3 or more "fields".
- Finally I have number string | number2 string (from 1 to x) that I need to parse to key pair into new fields.
- Everything works, I mean, logstash ingests all data with mutate split, for example, it does nothing :S