Use variable for target value (kv)

florentmair · March 9, 2017, 3:27pm

Hi

I want to use a fieldname to setup the "target" field in KV plugin, but it's doesn't work

filter {
if [message] =~ /^NUMBER OF .*:/ {
    grok {
         match => { "message" => "^NUMBER OF %{DATA:fieldinfo} :"}

    }
    mutate {
       gsub => [ "fieldinfo", " ", "_" ]
    }
       kv {
         field_split => "\n"
         target => "NB_%{fieldinfo}"
         trim => " "
         trimkey => " <>"
       }
} else {
    drop{}
}
}

my result :

{
               "path" => "/tmp/input",
         "@timestamp" => 2017-03-09T15:15:09.147Z,
    "NB_%{fieldinfo}" => {
        "NamedUsers" => "24488",
            "Groups" => "16781"
    },
           "@version" => "1",
               "host" => "XXXXX",
          "fieldinfo" => "USERS_AND_GROUPS",
            "message" => "NUMBER OF USERS AND GROUPS :\n  Named Users = 24488 \n  Groups = 16781 \n ",
               "tags" => [
        [0] "multiline"
    ]
}

Any idea ?
Thanks
Florent

magnusbaeck · March 9, 2017, 3:32pm

Known limitation:

florentmair · March 9, 2017, 3:51pm

Thank you, i will try the workaround

system · April 6, 2017, 3:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.