Split not working as expected

ghost3h · May 2, 2019, 1:29pm

Hi All,

I'm having a issue with my split on a field that is comma deliminated. I've got the syntax for what I want from previous questions, but the output is not as I expected. I have seen different syntax used on the split / reference, so tried both and neither work. I have the alternative syntax commented out for example

My data is:

HOSTALIAS:/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere, DEMO Workload, UKblah123

mutate {
split => ["HOSTALIAS", ", "]
#split => {"HOSTALIAS" => ", " }

    add_field => {"ci_alias" => "%{HOSTALIAS[0]}"}
    add_field => {"blueprint-id" => "%{HOSTALIAS[1]}"}
    add_field => {"instance-id" => "%{HOSTALIAS[2]}"}


   # add_field => {"ci_alias" => "%{[HOSTALIAS][0]}"}
   # add_field => {"blueprint-id" => "%{[HOSTALIAS][1]}"}
   # add_field => {"instance-id" => "%{[HOSTALIAS][2]}"}

    }

The results are:

"ci_alias" => "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere,",
"blueprint-id" => "%{HOSTALIAS[1]}",
"instance-id" => "%{HOSTALIAS[2]}"

I've tried splitting on just "," and ", " and neither seem to work. What am I doing wrong?
Thanks

Badger · May 2, 2019, 6:15pm

Not sure. This works just fine for me...

input { generator { count => 1 message => '' } }

filter {
    mutate { add_field => { "HOSTALIAS" => "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere, DEMO Workload, UKblah123" } }
    mutate {
        split => { "HOSTALIAS" => ", " }
        add_field => { "ci_alias" => "%{[HOSTALIAS][0]}" "blueprint-id" => "%{[HOSTALIAS][1]}" "instance-id" => "%{[HOSTALIAS][2]}" }
    }
}

That gets me

   "HOSTALIAS" => [
    [0] "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere",
    [1] "DEMO Workload",
    [2] "UKblah123"
],
"blueprint-id" => "DEMO Workload",
 "instance-id" => "UKblah123",
    "ci_alias" => "/subscriptions/41561-sadd-asdasd/resourceGroups/somethinghere/providers/Microsoft.Compute/virtualMachines/Somethinghere",

ghost3h · May 3, 2019, 12:05pm

So I tested it the same way as you, and it works ( bu defining my own value). So its something wrong with my kv filtering.

I'm very new to logstash filters, is there any online testing tools where I can very quickly make changes and see what results come out? I'm currently using stdout which is quick(ish) but a online tool would be ideal

Badger · May 3, 2019, 12:35pm

I use 2 windows. In one I edit a configuration file, in the other I run logstash with -r, so that it reloads the configuration every time I tell the editor to write out the file. This avoids the (very large) overhead of restarting logstash for every configuration change.

Topic		Replies	Views
Logstash. Mutate's split doesn't split string Logstash	2	403	August 27, 2021
Logstash filter not able to split Logstash	4	1033	July 6, 2017
Logstash split String Logstash	2	5906	June 6, 2017
Please update your Logstash mutate split documentation example Logstash	1	314	September 24, 2019
Logstash Mutate Split doesn't work Logstash	3	761	August 14, 2018

Split not working as expected

Related topics