Split not working as expected

ghost3h · May 2, 2019, 1:29pm

Hi All,

I'm having a issue with my split on a field that is comma deliminated. I've got the syntax for what I want from previous questions, but the output is not as I expected. I have seen different syntax used on the split / reference, so tried both and neither work. I have the alternative syntax commented out for example

My data is:

HOSTALIAS:/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere, DEMO Workload, UKblah123

mutate {
split => ["HOSTALIAS", ", "]
#split => {"HOSTALIAS" => ", " }

    add_field => {"ci_alias" => "%{HOSTALIAS[0]}"}
    add_field => {"blueprint-id" => "%{HOSTALIAS[1]}"}
    add_field => {"instance-id" => "%{HOSTALIAS[2]}"}


   # add_field => {"ci_alias" => "%{[HOSTALIAS][0]}"}
   # add_field => {"blueprint-id" => "%{[HOSTALIAS][1]}"}
   # add_field => {"instance-id" => "%{[HOSTALIAS][2]}"}

    }

The results are:

"ci_alias" => "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere,",
"blueprint-id" => "%{HOSTALIAS[1]}",
"instance-id" => "%{HOSTALIAS[2]}"

I've tried splitting on just "," and ", " and neither seem to work. What am I doing wrong?
Thanks

Badger · May 2, 2019, 6:15pm

Not sure. This works just fine for me...

input { generator { count => 1 message => '' } }

filter {
    mutate { add_field => { "HOSTALIAS" => "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere, DEMO Workload, UKblah123" } }
    mutate {
        split => { "HOSTALIAS" => ", " }
        add_field => { "ci_alias" => "%{[HOSTALIAS][0]}" "blueprint-id" => "%{[HOSTALIAS][1]}" "instance-id" => "%{[HOSTALIAS][2]}" }
    }
}

That gets me

   "HOSTALIAS" => [
    [0] "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere",
    [1] "DEMO Workload",
    [2] "UKblah123"
],
"blueprint-id" => "DEMO Workload",
 "instance-id" => "UKblah123",
    "ci_alias" => "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere",

ghost3h · May 3, 2019, 12:05pm

So I tested it the same way as you, and it works ( bu defining my own value). So its something wrong with my kv filtering.

I'm very new to logstash filters, is there any online testing tools where I can very quickly make changes and see what results come out? I'm currently using stdout which is quick(ish) but a online tool would be ideal

Badger · May 3, 2019, 12:35pm

I use 2 windows. In one I edit a configuration file, in the other I run logstash with -r, so that it reloads the configuration every time I tell the editor to write out the file. This avoids the (very large) overhead of restarting logstash for every configuration change.

system · May 31, 2019, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Mutate Split doesn't work Logstash	3	712	August 14, 2018
Need to split comma delimited string where one of the fields contains a backslash Logstash	3	2045	January 12, 2022
Ambiguous in documentation which describe logstash filter plugin "mutate -> split" Logstash	2	327	February 26, 2019
Problem with split add field Logstash	3	840	December 17, 2020
Strange behaviour kv field_split Logstash	5	853	April 8, 2020

Split not working as expected

Related Topics