Split field logstash

hi

input
2017-12-18 16:50:54.462 [http-bio-8080-exec-9] DEBUG o.s.w.f.CommonsRequestLoggingFilter.afterRequest(55) - After request [uri=/tng-rfid-api-gateway/gateway/api/v1/pre-checks/01;client=172.31.100.151;user=admin;payload={"header":{"sourceRefNo":"12341232017121200999","SPID":"1234","LOCID":"123","requestType":"01","timestamp":"2017-03-03T10:02:03.215+08:00"},"body":{"idType":"2","idNumber":"H12345777","nationality":"MYS","vehicleRegNo":"WWW123","vehicleRegCountry":"MYS","oldTagID":"","sourceAccNo":"","vectorAccNo":"","remark":""}}]

`using code

   kv {
    source => "tx"
	field_split => ";"
	remove_char_value => "\[\]"
	target => "final"
       }

getting output:

final.user-admin
final.client-172.31.100.151
final.2017-12-18 16:50:54.462 [http-bio-8080-exec-9] DEBUGo.s.w.f.CommonsRequestLoggingFilter.afterRequest(55) - After request [uri
-tng-rfid-api-gateway/gateway/api/v1/pre-checks/01
final.payload-{"header":{"sourceRefNo":"12341232017121200999","SPID":"1234","LOCID":"123","requestType":"01","timestamp":"2017-03-03T10:02:03.215+08:00"},"body":{"idType":"2","idNumber":"H12345777","nationality":"MYS","vehicleRegNo":"WWW123","vehicleRegCountry":"MYS","oldTagID":"","sourceAccNo":"","vectorAccNo":"","remark":""}}

Above everything ok but for uri it should not get entire string expected is
final.uri-tng-rfid-api-gateway/gateway/api/v1/pre-checks/01

so can u guys let me know is there way to accomplish this

I don't get it. What does the tx field contain?

tx is actual message which i given as input

Please show the rest of your filters. It looks like you're indeed asking the kv filter to parse the whole input string, including the timestamp.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.