Storing value and attaching it later

Hello, so i have an event like this:
A
B
С
B
С
..
B
С
And i can parse it getting "A" value + making an array of "B" and "C". That's how i am handling it right now.
But i got curious - if it's possible to store value of "A" and later attaching it to every "BC" and then splitting it to different docs to elasticsearch. I was thinking towards elasticsearch processor in logstash maybe. Maybe someone have an idea of how it could be?

Oh stupid me.. i assume i should use split plugin. I will try it and reply with results.

So i got it :
With ruby filters i am scanning event and getting ID,name and level into an array, then i merge them with .zip api (big props to Magnus Baeck - here )

That was so easy - i decided to add one more field (level).

ruby {  code => "event.set('ID', event.get('message').scan(/(?<=ID:\s)\d+/) )"  }
        ruby {  code => "event.set('name', event.get('message').scan(/[^;]+(?=;ID)/) )"  }
        ruby {  code => "event.set('level', event.get('message').scan(/[^;]+(?=;[^;]*;ID)/) )"  }
        ruby {  code => "event.set('Results',  event.get('ID').zip(event.get('name'),event.get('level')).map! { |item| item[0] +'; '+ item[1] +'; '+ item[2] +';' }  )" }

After ruby i just use split plugin for field "Results"

Logstash is amazing!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.