Is user2;gw43,3 a typo? I ask because the third line has the same ;/, issue at the same position.
If so, the following code will work, if not you will have to adjust the regexp.
dissect { mapping => { "message" => "%{fecha};%{timestamp};%{data}" } }
ruby {
code => '
matches = event.get("data").scan(/(\w+),(\w+),(\w+)($|;)/)
# Matches is an array of arrays like: [["user1", "gw11", "3", ";"], ["user1", "gw22", "5", ""]]
users = {}
# For each array of four matches...
matches.each { |x|
users[x[0]] ||= {}
users[x[0]]["gateways"] ||= []
users[x[0]]["user"] = x[0]
# gateways is an array of hashes
users[x[0]]["gateways"] << { "name" => x[1], "gwcalls" => x[2].to_i }
}
# If users is a hash { "key" => "value" } this converts it to [ "key", "value" ]
users = users.to_a
# Next we throw away the keys (usernames) since those are also inside the value hash
newUsers = []
users.each { |x|
newUsers << x[1]
}
event.set("users", newUsers)
'
}
split { field => "users" }
ruby {
code => '
# Move contents of the [users] field to the top level
event.get("users").each { |k, v|
event.set(k, v)
}
event.remove("users")
# Sum up the calls
totalcalls = 0
event.get("gateways").each { |x|
totalcalls += x["gwcalls"]
}
event.set("totalcalls", totalcalls)
'
}
(/(\w+)[[:punct:]](\w+)[[:punct:]](\w+)($|;)/ would work...