Trying to have dissect clean up after itself

Badger · May 31, 2018, 5:09pm

I am using dissect to parse a field it has just parsed out of a message.

input { generator { message => 'aaa bbb/ccc ddd' count => 1 } }
output { stdout { codec => rubydebug } }
filter {
    dissect {
        mapping => {
            "message" => '%{a} %{bAndC} %{d}'
            "bAndC" => '%{b}/%{c}'
        }
    }
}

That gets this, which looks good. However I do not need the combined bAndC field

     "bAndC" => "bbb/ccc",
         "a" => "aaa",
         "b" => "bbb",
         "d" => "ddd",
         "c" => "ccc"

So I tried this

input { generator { message => 'aaa bbb/ccc ddd' count => 1 } }
output { stdout { codec => rubydebug } }
filter {
    dissect {
        mapping => {
            "message" => '%{a} %{bAndC} %{d}'
            "bAndC" => '%{b}/%{c}'
        }
        remove_field => [ "bAndC" ]
    }
}

Which gets me this. Is that a bug or a feature?

         "a" => "aaa",
         "d" => "ddd",

( "%{a} %{b}/%{c} %{d}" is not a solution to my problem )

Christian_Dahlqvist · May 31, 2018, 5:14pm

Why is the last option not a solution? It would be easier to help if you actually showed some real data?

Badger · May 31, 2018, 5:18pm

Actually it is a solution. The subsequent parsing of ccc cannot be done using dissect, but combining the two things I am doing in that dissect works just fine.

system · June 28, 2018, 5:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.