Use variable for target value (kv)

florentmair · March 9, 2017, 3:27pm

Hi

I want to use a fieldname to setup the "target" field in KV plugin, but it's doesn't work

filter {
if [message] =~ /^NUMBER OF .*:/ {
    grok {
         match => { "message" => "^NUMBER OF %{DATA:fieldinfo} :"}

    }
    mutate {
       gsub => [ "fieldinfo", " ", "_" ]
    }
       kv {
         field_split => "\n"
         target => "NB_%{fieldinfo}"
         trim => " "
         trimkey => " <>"
       }
} else {
    drop{}
}
}

my result :

{
               "path" => "/tmp/input",
         "@timestamp" => 2017-03-09T15:15:09.147Z,
    "NB_%{fieldinfo}" => {
        "NamedUsers" => "24488",
            "Groups" => "16781"
    },
           "@version" => "1",
               "host" => "XXXXX",
          "fieldinfo" => "USERS_AND_GROUPS",
            "message" => "NUMBER OF USERS AND GROUPS :\n  Named Users = 24488 \n  Groups = 16781 \n ",
               "tags" => [
        [0] "multiline"
    ]
}

Any idea ?
Thanks
Florent

magnusbaeck · March 9, 2017, 3:32pm

Known limitation:

florentmair · March 9, 2017, 3:51pm

Thank you, i will try the workaround

system · April 6, 2017, 3:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to access existing field in KV filter plugin? Logstash	2	691	August 6, 2018
Json target based field value (or tag)? Logstash	4	1671	July 6, 2017
Logstash KV parsing : k=field, v=value Logstash	5	439	June 6, 2018
Set "target" in JSON filter to be variable Logstash	3	545	October 21, 2020
How to extract the data in the target to the root directory Logstash	1	490	October 9, 2018

Use variable for target value (kv)

Related Topics