Use variable for target value (kv)

florentmair · March 9, 2017, 3:27pm

Hi

I want to use a fieldname to setup the "target" field in KV plugin, but it's doesn't work

filter {
if [message] =~ /^NUMBER OF .*:/ {
    grok {
         match => { "message" => "^NUMBER OF %{DATA:fieldinfo} :"}

    }
    mutate {
       gsub => [ "fieldinfo", " ", "_" ]
    }
       kv {
         field_split => "\n"
         target => "NB_%{fieldinfo}"
         trim => " "
         trimkey => " <>"
       }
} else {
    drop{}
}
}

my result :

{
               "path" => "/tmp/input",
         "@timestamp" => 2017-03-09T15:15:09.147Z,
    "NB_%{fieldinfo}" => {
        "NamedUsers" => "24488",
            "Groups" => "16781"
    },
           "@version" => "1",
               "host" => "XXXXX",
          "fieldinfo" => "USERS_AND_GROUPS",
            "message" => "NUMBER OF USERS AND GROUPS :\n  Named Users = 24488 \n  Groups = 16781 \n ",
               "tags" => [
        [0] "multiline"
    ]
}

Any idea ?
Thanks
Florent

magnusbaeck · March 9, 2017, 3:32pm

Known limitation:

florentmair · March 9, 2017, 3:51pm

Thank you, i will try the workaround

system · April 6, 2017, 3:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to access existing field in KV filter plugin? Logstash	2	702	August 6, 2018
How to extract the data in the target to the root directory Logstash	1	496	October 9, 2018
Json target based field value (or tag)? Logstash	4	1689	July 6, 2017
How to use the ruby{} filter to loop through k,v pairs after use the kv{} filter? Logstash	7	12087	October 12, 2018
Extract data from { } Logstash	6	2622	December 19, 2017

Use variable for target value (kv)

Related topics