Split source value and create a custom field with splitted one

platso588 · December 5, 2017, 1:37pm

This resolved the Issue and Thanks a ton

Working code snippets for both the approaches.

1. copy of source by creating a temp variable,

	if ([fields][log_type] == "yarnHive2kafkaLog") {
    grok {
            match => { "message" => "%{YEAR:logYear}-%{MONTHNUM:logMonth}-%{MONTHDAY:logDate} %{TIME:logTime} \!%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\! %{GREEDYDATA:message}"}
         }
    mutate {
            copy => { "source" => "source_tmp" }
           }
    mutate {
            split => ["source_tmp", "/"]
            add_field => { "applicationID" => "%{source_tmp[4]}" }
           }                       
            }

2. grok filter on source

	if ([fields][log_type] == "yarnHive2kafkaLog") {
    grok {
            match => { "message" => "%{YEAR:logYear}-%{MONTHNUM:logMonth}-%{MONTHDAY:logDate} %{TIME:logTime} \!%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\! %{GREEDYDATA:message}"}
         }
    grok {
            match => { "source" => "/%{GREEDYDATA:primaryDir}/%{GREEDYDATA:subDir1}/%{GREEDYDATA:subDir2}/%{GREEDYDATA:subDir3}/%{GREEDYDATA:containerID}/%{GREEDYDATA:fileName}"}
            }
    mutate {
           add_field => { "applicationID" => "%{subDir3}" }
           }                       
            }

Topic		Replies	Views
How to let logstash splits event field values and assign it to @metadata field Logstash	13	2264	July 6, 2017
Split an output of a kv filter Logstash	5	661	July 5, 2019
Problem with "split" and "add_field" in mutate filter Logstash	5	5469	December 19, 2019
How to use split filter on the field using logstash Logstash	5	6144	March 27, 2019
Split array fields in logstash Logstash	22	10534	June 7, 2017

Split source value and create a custom field with splitted one

Related topics