Hello, i need to split a certain datafield I have into two separate fields. The field goes like this,
xx-xx0000:XXXXXxxx
where x's are letters and 0's are numbers.
I need to separate the field where the semicolon is but I haven't been able to figure out how to to do that yet. I've looked through the grok documentation but didn't find anything on separating based on a certain character.
Thanks.
Since you mention grok I guess this is really a logstash question. A filter with something like will do it.
mutate { split => { "message" => ":" } }
You probably want to replace message with whatever field you want to split, then maybe move the two array elements into their own fields.
How would I send the two new items into two new fields?
Thanks
Use mutate's add_field to reference the array entries that split returned.
mutate {
add_field => {
"firstPart" => "%{[message][0]}"
"secondPart" => "%{[message][1]}"
}
}
Again message would be replaced by the field name that you are splitting.
Wow, great. Thank you very much for your help!
Fixed error in my response. Please read the updated version.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.