Hi All,
I'm ingesting data into elasticsearch using logstash http_poller plugin. WE have a value which contains the location field like city, country
e.g: Location : Chennai, India
Is there a possible way to split this into
City : Chennai
Country : India
Or is there a way to remove chennai(city) from the field and have only country.
Location : India
Thanks
Gautham
I would try something like this:
mutate { split => { "Location" => "," } }
mutate { add_field => { "City" => "[Location][0]" "Country" => "[Location][1]" } }
mutate { strip => [ "City", "Country" ] }@Badger I tried this looks like its not splitting up, i'm getting the output as
City : [Location][0]
Country : [Location][1]
Thanks
Gautham
That solution should work. Badger just forgot the %{}
mutate { split => { "Location" => "," } }
mutate { add_field => { "City" => "%{[Location][0]}" "Country" => "%{[Location][1]}" } }
mutate { strip => [ "City", "Country" ] }
@Jenni Great its working.....awesome...One small problem there are few fields with three value pairs like "Unionbeach, NY, USA" any advice on how to merge this please.
Thanks
Gautham
What result do you want to achieve? A third field for the state or "Unionbeach, NY" as the city?
I need the result like
City : Unionbeach, NY
Country : USA
Thanks
Gautham
In this case I would probably just use grok with the pattern (?<City>.*), (?<Country>.*)$
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.