Split/explode strings

Elastic Stack Logstash
1

Hi, I have several text strings with separator patterns that I would like to be able to ingest as objects in elasticsearch, these strings are of the style:

(a) text|text
b) number text|number text
c) mailto:text@text | mailto:text@text

I have tried mutate split in cases A and C,
for case C I have tried kv { value_split => "|" field_split => " " source => "a" target => "a" },
I have also tried for case A ruby { code => "event.get('A').split('|')" }, I can't get it to work in any case :frowning:
Any hints or step by step guide you can think of?

2

Are you looking to do something like this? You can ingest them as an array like this.

Conf

input {
  generator {
    lines => [
     '[{ "test": "text1|text2" }, { "test2": "12|154" }, { "test3": "text2@text2|text@text" }]'
    ]
    count => 1
    codec => "json"
  }
}
filter {
    mutate {
        split => ["test", "|"]
        split => ["test2", "|"]
        split => ["test3", "|"]
    }
}
output {
  stdout { codec => json_lines }
}

Output

{
	"@version": "1",
	"test": ["text1", "text2"],
	"@timestamp": "2021-03-16T13:36:49.215Z",
	"host": "Aarons-MBP.domain",
	"sequence": 0
} {
	"@version": "1",
	"test3": ["text2@text2", "text@text"],
	"@timestamp": "2021-03-16T13:36:49.215Z",
	"host": "Aarons-MBP.domain",
	"sequence": 0
} {
	"@version": "1",
	"host": "Aarons-MBP.domain",
	"@timestamp": "2021-03-16T13:36:49.215Z",
	"sequence": 0,
	"test2": ["12", "154"]
}
3

I'm gonna try (thanks!) but not sure how, sorry, my mistake, all strings are fiels coming froma csv file.

More info:

  • I want to split emails strings like: mailto:name@domain.tld to get domain.tld in a new field. and also, if possible, user part, without "mailto:".
  • I have string like: string1|string2 (that may have, 1, 2, 3 or more "fields".
  • Finally I have number string | number2 string (from 1 to x) that I need to parse to key pair into new fields.
  • Everything works, I mean, logstash ingests all data with mutate split, for example, it does nothing :S
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.