Spliting the field

Elastic Stack Logstash
1

Hi There,

I have a field called SE_Payload.SE_SysStatsUtilizationDiskSpace and it gives me lot of useful information, but I dont know to how to split these in to different values like

SE_Payload.SE_SysStatsUtilizationDiskSpace_parent: 0.17

SE_Payload.SE_SysStatsUtilizationDiskSpace_boot: 0.25

SE_Payload.SE_SysStatsUtilizationDiskSpace_tmp: 0.01

something like this ,so I can create visualization with gauges showing utilisation but I dont know how to do it

SE_Payload.SE_SysStatsUtilizationDiskSpace: 17% /, 25% /boot, 1% /tmp, 2% /storedconfig, 9% /opt, 3% /localdisk, 9% /opt/docker/runtime/overlay

And am not sure if the all the fields will have same value , some time it changes like some fileds will have only boot and tmp , some have boot and opt .

Could any one please help me out.

Thanks,
Raj

2

You have value/key pairs there, so although a kv filter will parse it, the results are ugly. I would use ruby

    grok { match => { "message" => ":  %{GREEDYDATA:disks}" } }
    ruby {
        code => '
            m = event.get("disks").scan(/([0-9]+)% ([^,]*)/)
            m.each { |x|
                event.set("[someField][#{x[1]}]", x[0].to_i)
            }
        '
    }

which produces

 "someField" => {
                  "/storedconfig" => 2,
                           "/opt" => 9,
    "/opt/docker/runtime/overlay" => 9,
                              "/" => 17,
                          "/boot" => 25,
                     "/localdisk" => 3,
                           "/tmp" => 1
}
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.