Split message logstash elasticsearch

Elastic Stack Logstash
1

Hi,
my message it looks like :

e
e1222×204 11.6 KB

i want to add field when found the "|" it means to split it with "|"
i did it but it looks with a wrong method :
image
image853×72 2.82 KB

imagine that we have a lot of data in one message and in the same file there is a lot of data but it's not the same format ...
So i want to add field when i found "|"

Any help would be sincerely appreciate!
Thanks!

2

I'm in a very similar scenario, but in my case I want to split when I found ", @" this 3 characters.
Is basically a login of Stored procedures with parameters. So I want to split the parameter column into different fields. Please let me know if you found the way for this. Also to do it dinamically I guess only with ruby is possible

3

I found somthing i think it's better:

filter {

    mutate {

      split => {"message" => "|"}

      add_field => { "field_name1" => "%{[message][0]}" }

      add_field => { "field_name" => "%{[message][1]}" }

      add_field => { "field_name2" => "%{[message][2]}" }
}
}
1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.