Split string into array

Lycan · March 8, 2018, 1:34pm

Hi.

What I'm trying to do is accessing a nested string in "doc" called "message" (doc.message?), and this string contains a couple of things, including a case specification. That specification is what I am trying to extract and create another object variable under "doc" with (as in "doc.case"). It is not always the same text inside the string of course, but neither is the case always in the same "section" of the string. I have tried to use split{}, both within and outside of mutate{}, and neither worked. The logfile itself is in xml formatting.

Here is the code:
input { beats { port => '5044' } } filter { xml { source => 'message' target => 'doc' } split { field => 'message' } mutate { remove_field => 'message' } } output { elasticsearch { hosts => 'http://localhost:9200' index => 'logfiles' document_type => 'commandusage' } }

And here is the logfile itself:
"doc": { "AppDomain": "DefaultDomain [1]", "Message": """3D OpenND Mode: VRT Images in stack: 211 (max limit: 2000) Viewport size: (896, 1078) Date: 20171022 14:13 Session GUID: a3bda1f1-d1f7-4fde-a3f0-7e8a926f9bfc Server: Local Case: 5b44490f-202a-439f-a7f1-57f2be400ede""", "User": "User123", "Categories": "Cat1, Cat2", "Level": "Info", "Thread": "[1]", "Method": "Method.123", "Host": "Host1", "Time": "2018-03-04T10:10:59.3353115+00:00" },

(Sorry about the looks, I can't seem to get the editing right)

magnusbaeck · March 8, 2018, 1:48pm

You're probably looking for split { field => '[doc][message]' }, see https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.

Lycan · March 8, 2018, 1:54pm

Thank you for the quick answer.

Tried it, but it complained about the field being a "NilClass" type, which isn't splittable.

magnusbaeck · March 8, 2018, 2:35pm

That indicates that the field doesn't exist. Dump the raw event with a stdout { codec => rubydebug } output.

Lycan · March 8, 2018, 2:46pm

The field shows up in the dump, and a "_split_type_failure" tag shows up on the files, along with the previous error message.

magnusbaeck · March 8, 2018, 7:19pm

The field shows up in the dump

Well, please show it to us.

Lycan · March 9, 2018, 8:10am

Of course.

[2018-03-09T09:06:24,055][WARN ][logstash.filters.split   ] Only String and Array types are splittable. field:[_source][doc][Message] is of type = NilClass

{
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_split_type_failure"
],
"beat" => {
"version" => "6.2.2",
"hostname" => "LocalPC",
"name" => "LocalPC"
},
"prospector" => {
"type" => "log"
},
"host" => "LocalPC",
"offset" => 386,
"@timestamp" => 2018-03-09T08:06:22.293Z,
"@version" => "1",
"source" => "C:\log.slf",
"doc" => {
"Level" => "Info",
"Host" => "Host1",
"Method" => "Company.Utilities.DefaultLogs.CommandUsageLog::Info",
"User" => "User",
"Categories" => "client.performance.commands, common.assembly.utilities",
"AppDomain" => "DefaultDomain [1]",
"Message" => "c6411347-96cf-4330-b3e5-310d523adbba\tSave Image\t3D\tTime (ms):\t20\tCase:\t6e5e2d3a-ce1c-453c-93ff-4e9ce67936fe",
"Thread" => "[1]",
"Time" => "2018-01-16T19:00:24.6785488+00:00"
}
}

magnusbaeck · March 9, 2018, 8:14am

Field names are case sensitive so use [doc][Message]. I missed the uppercase M earlier, sorry.

Lycan · March 9, 2018, 8:24am

No worries. Despite trying that earlier, this time it worked. It doesn't give any error messages, but neither does it create the [doc][Case] I want either, of course. Any thoughts on that?

magnusbaeck · March 9, 2018, 9:12am

Splitting doesn't do that for you. I suggest you use a grok or dissect filter to process the string and extract the fields you want.

Lycan · March 9, 2018, 9:47am

Right, thanks for the help!

system · April 6, 2018, 9:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.