Splitting 1 column of integers into 2 columns

kahelek · July 28, 2017, 5:20pm

Hi all. I have been playing with ELK for a few months, and been making decent progress so far. I have an interesting problem I came across, which I haven't been able to figure out.

Let’s say you have a column that has the following integers, separated by a delimiter.

Column-1:

1-2
3-4
5-6
7-8
9-10

Question is then how to convert /digest / split it (in Logstash) to a newly created composition of:

Column-1

1
3
5
7
9

Column-2

2
4
6
8
10

In other words, simply split the integers on either side of the delimiter, that were formerly in 1 column, now split them and put them into a newly created column.

Haven’t found a way to do it. Basically, splitting these integers (yep, they are integers) .. and removing the delimiter in the process.

I could try and open it up with Excel, and manually massage the files, but then I've seen encoding issues even from a simple massage operation like that.

Would anyone have a way to do this? The KV filter doesn't do it. Doesn't seem to be a way. If anyone knows of a way to accomplish this, please advise.

Thanks!
K

magnusbaeck · August 11, 2017, 6:14pm

Since Logstash doesn't have "columns", I'm not sure exactly what you mean. Are you saying that your document looks like

{
  "a": "1-2"
}

and you want to turn it into this?

{
  "b": "1",
  "c": "2"
}

kahelek · August 14, 2017, 7:47pm

Hi Magnus,

Thanks for responding.

I didn't expect a response, but I've read many of your posts and they are indeed quite useful. Didn't mean to confuse the issue. Sorry.

For this particular query / example, what I was trying to express was referencing a column where .. your data source points to .csv file .. with a column containing .. a final score for example.

I'll draw a sport analogy, and hopefully then my query will make more sense.

Upon importing the .csv, you have a singular column (called Final score) containing the following summary in a single row: 27-21.

This column references the score of Team [27], and Opponent [21].

So I was hoping to have logstash convert this singular .csv Column, and break it out into 2 Columns:

Column named - >Team: with the integer value of 27
Column named - > Opponent: with the integer value of 21

And the original dash / demarc is tossed into the bit bucket.

I hope this makes more sense.

Understood, if it's a little complex, and can't be done. Either way, thank you for all you do here on these boards. Your expertise is a tremendous help to the user community.

magnusbaeck · August 14, 2017, 8:13pm

Use a grok filter to parse the Final Score field and extract the two desired fields. After that you may want to delete the original field that you just parsed.

kahelek · August 14, 2017, 8:30pm

Thanks Magnus, I will attempt that approach. Appreciate your response!

system · September 11, 2017, 8:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.