Hi evryone! I have next log example
[time_field] key1=val1 key2=val2 key3=val3 ACTION_TYPE key4=val4 key5=val5
I want cut ACTION_TYPE from message and add him in new field, and then use KV-filter for key-value.
I use KV because keys sometimes change position.
How i can do this?
You need to provide more information. If the time field is always surrounded by square brackets it is easy to dissect that out and then mutate+gsub it away.
What identifies ACTION_TYPE? Is it always the fourth field after the [time_field]. We need to know how to find it.
Are the values in the key value pairs ever blank?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.