Split field logstash

sureshboiina · December 18, 2017, 11:21am

hi

input
2017-12-18 16:50:54.462 [http-bio-8080-exec-9] DEBUG o.s.w.f.CommonsRequestLoggingFilter.afterRequest(55) - After request [uri=/tng-rfid-api-gateway/gateway/api/v1/pre-checks/01;client=172.31.100.151;user=admin;payload={"header":{"sourceRefNo":"12341232017121200999","SPID":"1234","LOCID":"123","requestType":"01","timestamp":"2017-03-03T10:02:03.215+08:00"},"body":{"idType":"2","idNumber":"H12345777","nationality":"MYS","vehicleRegNo":"WWW123","vehicleRegCountry":"MYS","oldTagID":"","sourceAccNo":"","vectorAccNo":"","remark":""}}]

`using code

   kv {
    source => "tx"
	field_split => ";"
	remove_char_value => "\[\]"
	target => "final"
       }

getting output:

final.user-admin
final.client-172.31.100.151
final.2017-12-18 16:50:54.462 [http-bio-8080-exec-9] DEBUGo.s.w.f.CommonsRequestLoggingFilter.afterRequest(55) - After request [uri
-tng-rfid-api-gateway/gateway/api/v1/pre-checks/01
final.payload-{"header":{"sourceRefNo":"12341232017121200999","SPID":"1234","LOCID":"123","requestType":"01","timestamp":"2017-03-03T10:02:03.215+08:00"},"body":{"idType":"2","idNumber":"H12345777","nationality":"MYS","vehicleRegNo":"WWW123","vehicleRegCountry":"MYS","oldTagID":"","sourceAccNo":"","vectorAccNo":"","remark":""}}

Above everything ok but for uri it should not get entire string expected is
final.uri-tng-rfid-api-gateway/gateway/api/v1/pre-checks/01

so can u guys let me know is there way to accomplish this

magnusbaeck · December 18, 2017, 11:41am

I don't get it. What does the tx field contain?

sureshboiina · December 18, 2017, 11:43am

tx is actual message which i given as input

magnusbaeck · December 18, 2017, 2:07pm

Please show the rest of your filters. It looks like you're indeed asking the kv filter to parse the whole input string, including the timestamp.

system · January 15, 2018, 2:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.