Hi All,
The incoming feed (log) to Logstash has parameters which are delimited by ~|~
These are being mutated and split in Logstash as follows. :
if [type] == "tv_dmz_access" {
mutate {
split => ["message", "~|~"]
add_field =>{
"timeReqRecd" => "%{[message][0]}"
"remoteHostIP" => "%{[message][1]}"
"xForwardedFor" => "%{[message][2]}"
Problem is that "xForwardedFor"
at times receives more than one IPs which are comma separted. For example ~|~109.1.07.12, 14.1.15.4, 3.3.8.13, 4.15.24.7, 9.15.34.74~|~
Kibana tends to display only
the first IP and disregards other 4.
How can I set Logstash so that Kibana displays all 5 IPs instead of only one (first)?
Thanks