Spliting the field

Badger · July 25, 2019, 1:45pm

You have value/key pairs there, so although a kv filter will parse it, the results are ugly. I would use ruby

    grok { match => { "message" => ":  %{GREEDYDATA:disks}" } }
    ruby {
        code => '
            m = event.get("disks").scan(/([0-9]+)% ([^,]*)/)
            m.each { |x|
                event.set("[someField][#{x[1]}]", x[0].to_i)
            }
        '
    }

which produces

 "someField" => {
                  "/storedconfig" => 2,
                           "/opt" => 9,
    "/opt/docker/runtime/overlay" => 9,
                              "/" => 17,
                          "/boot" => 25,
                     "/localdisk" => 3,
                           "/tmp" => 1
}

Topic		Replies	Views
Split field into multiple fields Logstash	4	1160	October 15, 2021
Splitting a field that looks like an array Logstash	7	5	October 9, 2024
Issues with kv filtering/ElasticSearch filtering Logstash	4	366	September 4, 2019
Logstash - How to split this field Logstash	3	283	July 19, 2019
Strange behaviour kv field_split Logstash	5	854	April 8, 2020

Spliting the field

Related topics