Split field in elastic

lusynda · June 16, 2021, 1:59am

Hi all,
I have a little problems that needed solving.
I have a field dns domain dns.question.name has value like this: a.b.c.d

Now i want to split this domain into many other domain like tld, sld ..... dynamically without having to use grok since the domain field can be vary with many has only 2 level domain and other has more.

I have check out kv filter but i seem to only work with field that has key:value type and since domain has no key so that a no go for me.

Can any one propose a solution for me.
Thanks for your time.

Badger · June 16, 2021, 2:52am

Are you saying that you want 4 fields, each of which contains a single part of the domain name (i.e. "a", "b", "c", "d") or do you want "a.b.c.d", "b.c.d", "c.d", "d". I assume you also want "a.b.c.d.e.f" handled.

lusynda · June 16, 2021, 3:14am

i want each value in the . to be in a separate field (i.e. "a", "b", "c", "d")

Yes i want that as well

Badger · June 16, 2021, 3:33am

I would use a ruby filter to do that. I am done for the day, so will not post a solution for about 12 hours

Badger · June 16, 2021, 5:02pm

Try

    ruby {
        code => '
            m = event.get("message")
            if m
                m = m.split(".")
                m.each_index { |x|
                    event.set("part#{x+1}", m[x])
                }
            end
        '
    }

lusynda · June 17, 2021, 1:37am

Thanks for the answer.
But dont mind if i ask what would be the expected output field of this filter.
I assume to be

part1:1
part2:2

and since this is domain stuff we do care about it from the bottom domain so is there a way to reverse this to the first field to be the last one with the dot.
eg: google.com then i want the part1 to be com and the part2 the google.

Badger · June 17, 2021, 1:46am

I wondered if you would ask that You can try

    ruby {
        code => '
            m = event.get("message")
            if m
                m = m.split(".")
                len = m.length
                m.each_index { |x|
                    event.set("part#{len-x}", m[x])
                }
            end
        '
    }

which will produce

     "part2" => "google",
     "part1" => "com",
   "message" => "google.com"

system · July 15, 2021, 1:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.