Trying to get values in array

Shivom_Kumar · May 29, 2018, 6:25pm

hi . i was doing something similar to getting values as an array. i have my log something like this
fab 20 gds 30 rt 21
i want to create two array : one contating {fab,dgs,rt} and other containing their respective value {20,30,,21}
i followed the approach similar to this: #35
this is how i wrote my rules +1
CUSTOM_VALUE (?:%{NUMBER})
CUSTOM_LIST_VALUE (?:(\s*%{WORD}[\s*]%{CUSTOM_VALUE}))
CUSTOM_VALUE_LIST_COMPLEX (?:(%{CUSTOM_LIST_VALUE})+)

and i am matching %{CUSTOM_VALUE_LIST_COMPLEX:category}
i am getting whole fab 20 gds 30 rt 21 under CUSTOM_VALUE_LIST_COMPLEX.
my question is how to get those values like array as i mentioned above from this CUSTOM_VALUE_LIST_COMPLEX

Badger · May 29, 2018, 6:40pm

I would do that in a ruby filter

    ruby {
        code => '
            i = 1
            out1 = []
            out2 = []

            a = event.get("message").split(" ").each { |v|
                i = i+1
                if i % 2 == 0
                    out1 << v
                else
                    out2 << v
                end
            }
            event.set("out1", out1)
            event.set("out2", out2)
        '

Shivom_Kumar · May 30, 2018, 8:52am

thanks @Badger . its working . but is there any way to do this with the help of grok filter ?

Badger · May 30, 2018, 12:46pm

Yes, but it feels unnatural to me.

grok { match => [ "message", "%{WORD:foo} %{WORD:bar} %{WORD:foo} %{WORD:bar} %{WORD:foo} %{WORD:bar}" ] }

Shivom_Kumar · May 30, 2018, 7:43pm

@Badger
ok so i will post here my complete problem .

i have my logs something like this :

May 18 2018 06:51:03 GMT: INFO (info): (ticker.c:313) fds: proto (0,6,6) heartbeat (1,3,2) fabric (15,24,9)
May 18 2018 06:47:42 GMT: INFO (namespace): (namespace_ce.c:96) {test} gd 10 prole 20
May 18 2018 06:47:52 GMT: INFO (info): (ticker.c:408) {bar} objects: all 0 master 0 prole 0 non-replica 0

in the above lines (namespace_ce.c) and (ticker.c) are the filenames.
the code that u wrote as a ruby filter i used that to get the arrays as for ex out1 =>{proto,heartbeat,fabric} and their respective value out2 =>{(0,6,6),(1,3,2),(15,24,9)}

now i have some problems. firstly the rules that i wrote parse both the filenames logs. but i want to parse only those logs that have filename as ticker.c
so i wrote rule for that . below is what i wrote

grok {
patterns_dir => ["/etc/logstash/patterns"]
match => {"message" => "%{GREEDYDATA:before} (%{FILENAME:filename}:%{NUMBER:file_no}) %{GREEDYDATA:left_message}"}
}
if ([filename] == "ticker.c") {
#QUE 1 :here i want to write code to match the left_message obtained from above with some regex . can it be done ?
}
}
else {
drop {}
}
}

#QUE2 : if i am using the above technique then logstash parse only one line. how can i get it to parse all lines in my log file ?

Shivom_Kumar · May 31, 2018, 9:10am

@Badger
also is there a way to do the map kind of thing instead of having two arrays.
like a single map having key and value kind of thing. in ruby ?

system · June 28, 2018, 9:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.