Logstash Field split and merge
I started using and configuring ELK stack a month ago as a personal project in the IT company I'm working in.
Without any training or a coding background, my Logstash works good enough to accept Logs from Cisco ASR5K on StarOS and some IOS devices, send them to Elasticsearch and also store them in RAW format.
I'm trying now to tune up a little bit the fields that I've created for this config and I'm encountering some difficulties, so I really hope that you could help me. Any feedback will be welcomed.
Ok, so my problem is the following:
I have a log in RAW format
<171>Nov 13 18:11:03 evlogd: [local-60sec3.378] [diameter 92004 error] [8/0/6001 <diactrl:0> flow_id_mgmt.c:743] [software internal system syslog] Flow ID sync with facility 87000 instance 377 failed 82649 times
And I have applied the following match
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
With the following custom pattern:
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?
ASR_TIMESTAMP %{MONTH} %{MONTHDAY} %{TIME}
ASR_TASK %{DATA}
ASR_FACILITY %{DATA}
ASR_EVENT_ID %{DATA}
ASR_LEVEL %{DATA}
ASR_EVENT_LEVEL %{WORD}
ASR_INSTANCE %{DATA}
ASR_CONTEXT %{DATA}
ASR_EVENT %{WORD}
ASR_TYPE %{DATA}
ASR_MGR %{DATA}
ASR_RAW %{GREEDYDATA}
ASR_CALLID %{DATA}
And everything works fine (well, at least for me). The logs are matching so that's a good start.
{
"log_date" => "Nov 15 13:20:07",
--
"hostname" => "MM-MME",
"fingerprint" => "9414227242b545335cb679d9905dddf6b8976cf2",
"task" => "evlogd:",
"level" => "software internal system syslog",
"host" => "X.X.X.X",
"mgr" => "8/0/6001 <diactrl:0> flow_id_mgmt.c:743",
"message" => "Flow ID sync with facility 87000 instance 75 failed 83718 timesu0000",
"@timestamp" => 2018-11-15T11:20:07.439Z,
"instance_info" => "diameter 92004 error",
"facility" => "local-60sec7.199",
"type" => "syslog-cisco"
}
What I want to to, is to delete the Number from the "instance_info" field to be "diameter error"
Why? I want to create a visualization pie chart with the data from this field, and the numbers are absolutely irrelevant for me. More than that, it screws my piechart by creating thousands of:
sessmgr 10033 trace
sessmgr 10036 trace
sctp 87304 error
sgsn-gtpc 116043 debug
sessmgr 12902 debug
sgs 173002 debug
nas 153002 debug
sgs 173001 debug
sgsn-gtpc 116004 debug
sessmgr 12093 error
sgsn-gtpc 116003 debug
sgsn-gtpc 116094 info
sgsn-gtpc 116095 info
sgsn-gtpc 116120 debug
sgsn-gtpc 116122 debug
sgsn-gtpc 116057 debug
sessmgr 10177 debug
sessmgr 10207 info
sessmgr 10285 debug
aaamgr 36861 debug
sessmgr 10004 info
sessmgr 10738 trace
sessmgr 12952 info
aaa-client 6002 debug
aaa-client 6003 debug
And there should be roughly 15-20 results like:
sgsn-gtpc info/debug etc
sessmgr info/debug/error etc
aaamgr info/debug/error etc
I tried based on the following action plan:
Split the "instance_info" intro 3 fields:
ASR_INSTANCE %{WORD}
ASR_INSTANCE_NR %{NUMBER}
ASR_INSTANCE_LVL %{WORD}
And create a new match:
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}%{SPACE}%{ASR_INSTANCE_NR:nr}%{SPACE}%{ASR_INSTANCE_LVL:Level}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
Which works (tested in an online GROK debugger):
"instance_info": [
[
"diameter"
]
],
"nr": [
[
"92004"
]
],
"Level": [
[
"error"
Now I want to delete the "nr" field and combine ["instance_info", "Level"] into one single field. And to be honest I have no idea how.
I tried with the mutate plugin but I lack the knowledge to understand how and where to insert it.
Kindly ask you to help me in this matter or to suggest a different way.
Config file: 01-cisco.conf
I know for most of you, my config file might look very creepy, but that's the best I could do, so please don't judge my frankenstein.conf file.
Any kind of help and suggestions for my issue, or for any line in the config will be most welcomed!
plugins logstash cisco mutate
edited Nov 22 '18 at 16:09
baudsp
3,08611227
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
add a comment |
I started using and configuring ELK stack a month ago as a personal project in the IT company I'm working in.
Without any training or a coding background, my Logstash works good enough to accept Logs from Cisco ASR5K on StarOS and some IOS devices, send them to Elasticsearch and also store them in RAW format.
I'm trying now to tune up a little bit the fields that I've created for this config and I'm encountering some difficulties, so I really hope that you could help me. Any feedback will be welcomed.
Ok, so my problem is the following:
I have a log in RAW format
<171>Nov 13 18:11:03 evlogd: [local-60sec3.378] [diameter 92004 error] [8/0/6001 <diactrl:0> flow_id_mgmt.c:743] [software internal system syslog] Flow ID sync with facility 87000 instance 377 failed 82649 times
And I have applied the following match
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
With the following custom pattern:
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?
ASR_TIMESTAMP %{MONTH} %{MONTHDAY} %{TIME}
ASR_TASK %{DATA}
ASR_FACILITY %{DATA}
ASR_EVENT_ID %{DATA}
ASR_LEVEL %{DATA}
ASR_EVENT_LEVEL %{WORD}
ASR_INSTANCE %{DATA}
ASR_CONTEXT %{DATA}
ASR_EVENT %{WORD}
ASR_TYPE %{DATA}
ASR_MGR %{DATA}
ASR_RAW %{GREEDYDATA}
ASR_CALLID %{DATA}
And everything works fine (well, at least for me). The logs are matching so that's a good start.
{
"log_date" => "Nov 15 13:20:07",
--
"hostname" => "MM-MME",
"fingerprint" => "9414227242b545335cb679d9905dddf6b8976cf2",
"task" => "evlogd:",
"level" => "software internal system syslog",
"host" => "X.X.X.X",
"mgr" => "8/0/6001 <diactrl:0> flow_id_mgmt.c:743",
"message" => "Flow ID sync with facility 87000 instance 75 failed 83718 timesu0000",
"@timestamp" => 2018-11-15T11:20:07.439Z,
"instance_info" => "diameter 92004 error",
"facility" => "local-60sec7.199",
"type" => "syslog-cisco"
}
What I want to to, is to delete the Number from the "instance_info" field to be "diameter error"
Why? I want to create a visualization pie chart with the data from this field, and the numbers are absolutely irrelevant for me. More than that, it screws my piechart by creating thousands of:
sessmgr 10033 trace
sessmgr 10036 trace
sctp 87304 error
sgsn-gtpc 116043 debug
sessmgr 12902 debug
sgs 173002 debug
nas 153002 debug
sgs 173001 debug
sgsn-gtpc 116004 debug
sessmgr 12093 error
sgsn-gtpc 116003 debug
sgsn-gtpc 116094 info
sgsn-gtpc 116095 info
sgsn-gtpc 116120 debug
sgsn-gtpc 116122 debug
sgsn-gtpc 116057 debug
sessmgr 10177 debug
sessmgr 10207 info
sessmgr 10285 debug
aaamgr 36861 debug
sessmgr 10004 info
sessmgr 10738 trace
sessmgr 12952 info
aaa-client 6002 debug
aaa-client 6003 debug
And there should be roughly 15-20 results like:
sgsn-gtpc info/debug etc
sessmgr info/debug/error etc
aaamgr info/debug/error etc
I tried based on the following action plan:
Split the "instance_info" intro 3 fields:
ASR_INSTANCE %{WORD}
ASR_INSTANCE_NR %{NUMBER}
ASR_INSTANCE_LVL %{WORD}
And create a new match:
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}%{SPACE}%{ASR_INSTANCE_NR:nr}%{SPACE}%{ASR_INSTANCE_LVL:Level}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
Which works (tested in an online GROK debugger):
"instance_info": [
[
"diameter"
]
],
"nr": [
[
"92004"
]
],
"Level": [
[
"error"
Now I want to delete the "nr" field and combine ["instance_info", "Level"] into one single field. And to be honest I have no idea how.
I tried with the mutate plugin but I lack the knowledge to understand how and where to insert it.
Kindly ask you to help me in this matter or to suggest a different way.
Config file: 01-cisco.conf
I know for most of you, my config file might look very creepy, but that's the best I could do, so please don't judge my frankenstein.conf file.
Any kind of help and suggestions for my issue, or for any line in the config will be most welcomed!
plugins logstash cisco mutate
edited Nov 22 '18 at 16:09
baudsp
3,08611227
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
add a comment |
I started using and configuring ELK stack a month ago as a personal project in the IT company I'm working in.
Without any training or a coding background, my Logstash works good enough to accept Logs from Cisco ASR5K on StarOS and some IOS devices, send them to Elasticsearch and also store them in RAW format.
I'm trying now to tune up a little bit the fields that I've created for this config and I'm encountering some difficulties, so I really hope that you could help me. Any feedback will be welcomed.
Ok, so my problem is the following:
I have a log in RAW format
<171>Nov 13 18:11:03 evlogd: [local-60sec3.378] [diameter 92004 error] [8/0/6001 <diactrl:0> flow_id_mgmt.c:743] [software internal system syslog] Flow ID sync with facility 87000 instance 377 failed 82649 times
And I have applied the following match
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
With the following custom pattern:
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?
ASR_TIMESTAMP %{MONTH} %{MONTHDAY} %{TIME}
ASR_TASK %{DATA}
ASR_FACILITY %{DATA}
ASR_EVENT_ID %{DATA}
ASR_LEVEL %{DATA}
ASR_EVENT_LEVEL %{WORD}
ASR_INSTANCE %{DATA}
ASR_CONTEXT %{DATA}
ASR_EVENT %{WORD}
ASR_TYPE %{DATA}
ASR_MGR %{DATA}
ASR_RAW %{GREEDYDATA}
ASR_CALLID %{DATA}
And everything works fine (well, at least for me). The logs are matching so that's a good start.
{
"log_date" => "Nov 15 13:20:07",
--
"hostname" => "MM-MME",
"fingerprint" => "9414227242b545335cb679d9905dddf6b8976cf2",
"task" => "evlogd:",
"level" => "software internal system syslog",
"host" => "X.X.X.X",
"mgr" => "8/0/6001 <diactrl:0> flow_id_mgmt.c:743",
"message" => "Flow ID sync with facility 87000 instance 75 failed 83718 timesu0000",
"@timestamp" => 2018-11-15T11:20:07.439Z,
"instance_info" => "diameter 92004 error",
"facility" => "local-60sec7.199",
"type" => "syslog-cisco"
}
What I want to to, is to delete the Number from the "instance_info" field to be "diameter error"
Why? I want to create a visualization pie chart with the data from this field, and the numbers are absolutely irrelevant for me. More than that, it screws my piechart by creating thousands of:
sessmgr 10033 trace
sessmgr 10036 trace
sctp 87304 error
sgsn-gtpc 116043 debug
sessmgr 12902 debug
sgs 173002 debug
nas 153002 debug
sgs 173001 debug
sgsn-gtpc 116004 debug
sessmgr 12093 error
sgsn-gtpc 116003 debug
sgsn-gtpc 116094 info
sgsn-gtpc 116095 info
sgsn-gtpc 116120 debug
sgsn-gtpc 116122 debug
sgsn-gtpc 116057 debug
sessmgr 10177 debug
sessmgr 10207 info
sessmgr 10285 debug
aaamgr 36861 debug
sessmgr 10004 info
sessmgr 10738 trace
sessmgr 12952 info
aaa-client 6002 debug
aaa-client 6003 debug
And there should be roughly 15-20 results like:
sgsn-gtpc info/debug etc
sessmgr info/debug/error etc
aaamgr info/debug/error etc
I tried based on the following action plan:
Split the "instance_info" intro 3 fields:
ASR_INSTANCE %{WORD}
ASR_INSTANCE_NR %{NUMBER}
ASR_INSTANCE_LVL %{WORD}
And create a new match:
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}%{SPACE}%{ASR_INSTANCE_NR:nr}%{SPACE}%{ASR_INSTANCE_LVL:Level}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
Which works (tested in an online GROK debugger):
"instance_info": [
[
"diameter"
]
],
"nr": [
[
"92004"
]
],
"Level": [
[
"error"
Now I want to delete the "nr" field and combine ["instance_info", "Level"] into one single field. And to be honest I have no idea how.
I tried with the mutate plugin but I lack the knowledge to understand how and where to insert it.
Kindly ask you to help me in this matter or to suggest a different way.
Config file: 01-cisco.conf
I know for most of you, my config file might look very creepy, but that's the best I could do, so please don't judge my frankenstein.conf file.
Any kind of help and suggestions for my issue, or for any line in the config will be most welcomed!
plugins logstash cisco mutate
edited Nov 22 '18 at 16:09
baudsp
3,08611227
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
I started using and configuring ELK stack a month ago as a personal project in the IT company I'm working in.
Without any training or a coding background, my Logstash works good enough to accept Logs from Cisco ASR5K on StarOS and some IOS devices, send them to Elasticsearch and also store them in RAW format.
I'm trying now to tune up a little bit the fields that I've created for this config and I'm encountering some difficulties, so I really hope that you could help me. Any feedback will be welcomed.
Ok, so my problem is the following:
I have a log in RAW format
<171>Nov 13 18:11:03 evlogd: [local-60sec3.378] [diameter 92004 error] [8/0/6001 <diactrl:0> flow_id_mgmt.c:743] [software internal system syslog] Flow ID sync with facility 87000 instance 377 failed 82649 times
And I have applied the following match
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
With the following custom pattern:
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?
ASR_TIMESTAMP %{MONTH} %{MONTHDAY} %{TIME}
ASR_TASK %{DATA}
ASR_FACILITY %{DATA}
ASR_EVENT_ID %{DATA}
ASR_LEVEL %{DATA}
ASR_EVENT_LEVEL %{WORD}
ASR_INSTANCE %{DATA}
ASR_CONTEXT %{DATA}
ASR_EVENT %{WORD}
ASR_TYPE %{DATA}
ASR_MGR %{DATA}
ASR_RAW %{GREEDYDATA}
ASR_CALLID %{DATA}
And everything works fine (well, at least for me). The logs are matching so that's a good start.
{
"log_date" => "Nov 15 13:20:07",
--
"hostname" => "MM-MME",
"fingerprint" => "9414227242b545335cb679d9905dddf6b8976cf2",
"task" => "evlogd:",
"level" => "software internal system syslog",
"host" => "X.X.X.X",
"mgr" => "8/0/6001 <diactrl:0> flow_id_mgmt.c:743",
"message" => "Flow ID sync with facility 87000 instance 75 failed 83718 timesu0000",
"@timestamp" => 2018-11-15T11:20:07.439Z,
"instance_info" => "diameter 92004 error",
"facility" => "local-60sec7.199",
"type" => "syslog-cisco"
}
What I want to to, is to delete the Number from the "instance_info" field to be "diameter error"
Why? I want to create a visualization pie chart with the data from this field, and the numbers are absolutely irrelevant for me. More than that, it screws my piechart by creating thousands of:
sessmgr 10033 trace
sessmgr 10036 trace
sctp 87304 error
sgsn-gtpc 116043 debug
sessmgr 12902 debug
sgs 173002 debug
nas 153002 debug
sgs 173001 debug
sgsn-gtpc 116004 debug
sessmgr 12093 error
sgsn-gtpc 116003 debug
sgsn-gtpc 116094 info
sgsn-gtpc 116095 info
sgsn-gtpc 116120 debug
sgsn-gtpc 116122 debug
sgsn-gtpc 116057 debug
sessmgr 10177 debug
sessmgr 10207 info
sessmgr 10285 debug
aaamgr 36861 debug
sessmgr 10004 info
sessmgr 10738 trace
sessmgr 12952 info
aaa-client 6002 debug
aaa-client 6003 debug
And there should be roughly 15-20 results like:
sgsn-gtpc info/debug etc
sessmgr info/debug/error etc
aaamgr info/debug/error etc
I tried based on the following action plan:
Split the "instance_info" intro 3 fields:
ASR_INSTANCE %{WORD}
ASR_INSTANCE_NR %{NUMBER}
ASR_INSTANCE_LVL %{WORD}
And create a new match:
%{ASR_TIMESTAMP:log_date} %{ASR_TASK:task} [%{ASR_FACILITY:facility}] [%{ASR_INSTANCE:instance_info}%{SPACE}%{ASR_INSTANCE_NR:nr}%{SPACE}%{ASR_INSTANCE_LVL:Level}] [%{ASR_MGR:mgr}] [%{ASR_LEVEL:level}] %{ASR_RAW:message}
Which works (tested in an online GROK debugger):
"instance_info": [
[
"diameter"
]
],
"nr": [
[
"92004"
]
],
"Level": [
[
"error"
Now I want to delete the "nr" field and combine ["instance_info", "Level"] into one single field. And to be honest I have no idea how.
I tried with the mutate plugin but I lack the knowledge to understand how and where to insert it.
Kindly ask you to help me in this matter or to suggest a different way.
Config file: 01-cisco.conf
I know for most of you, my config file might look very creepy, but that's the best I could do, so please don't judge my frankenstein.conf file.
Any kind of help and suggestions for my issue, or for any line in the config will be most welcomed!
plugins logstash cisco mutate
plugins logstash cisco mutate
edited Nov 22 '18 at 16:09
baudsp
3,08611227
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
edited Nov 22 '18 at 16:09
baudsp
3,08611227
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
edited Nov 22 '18 at 16:09
baudsp
3,08611227
edited Nov 22 '18 at 16:09
baudsp
3,08611227
edited Nov 22 '18 at 16:09
baudsp
3,08611227
3,08611227
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
asked Nov 22 '18 at 12:37
Nicu DumbraveanuNicu Dumbraveanu
61
61
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You are nearly there. All you have to do is use mutate/replace to combine the data you need and mutate/remove_filed to remove the unnecessary fields.
You need to change the ASR_INSTANCE_LVL field name not to be level, since you already have level field. Lets say you would call it asr_level.
Add the relevant mutate at the end of you conf file.
mutate {
replace => [ "instance_info", "%{instance_info} %{asr_level}" ]
}
mutate {
remove_field => ["asr_level", "nr"]
}
You can look at this google forum and https://discuss.elastic.co/t/want-to-combine-field-values-into-new-field-value/28564 for more details.
Good Luck
answered Nov 22 '18 at 16:04
Gal SGal S
757313
Thank you, Gal! It works now: "instance_info" => "cli debug"
– Nicu Dumbraveanu
Nov 22 '18 at 16:58
@Nicu Great!...
– Gal S
Nov 22 '18 at 17:51
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53431221%2flogstash-field-split-and-merge%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You are nearly there. All you have to do is use mutate/replace to combine the data you need and mutate/remove_filed to remove the unnecessary fields.
You need to change the ASR_INSTANCE_LVL field name not to be level, since you already have level field. Lets say you would call it asr_level.
Add the relevant mutate at the end of you conf file.
mutate {
replace => [ "instance_info", "%{instance_info} %{asr_level}" ]
}
mutate {
remove_field => ["asr_level", "nr"]
}
You can look at this google forum and https://discuss.elastic.co/t/want-to-combine-field-values-into-new-field-value/28564 for more details.
Good Luck
answered Nov 22 '18 at 16:04
Gal SGal S
757313
Thank you, Gal! It works now: "instance_info" => "cli debug"
– Nicu Dumbraveanu
Nov 22 '18 at 16:58
@Nicu Great!...
– Gal S
Nov 22 '18 at 17:51
add a comment |
You are nearly there. All you have to do is use mutate/replace to combine the data you need and mutate/remove_filed to remove the unnecessary fields.
You need to change the ASR_INSTANCE_LVL field name not to be level, since you already have level field. Lets say you would call it asr_level.
Add the relevant mutate at the end of you conf file.
mutate {
replace => [ "instance_info", "%{instance_info} %{asr_level}" ]
}
mutate {
remove_field => ["asr_level", "nr"]
}
You can look at this google forum and https://discuss.elastic.co/t/want-to-combine-field-values-into-new-field-value/28564 for more details.
Good Luck
answered Nov 22 '18 at 16:04
Gal SGal S
757313
Thank you, Gal! It works now: "instance_info" => "cli debug"
– Nicu Dumbraveanu
Nov 22 '18 at 16:58
@Nicu Great!...
– Gal S
Nov 22 '18 at 17:51
add a comment |
You are nearly there. All you have to do is use mutate/replace to combine the data you need and mutate/remove_filed to remove the unnecessary fields.
You need to change the ASR_INSTANCE_LVL field name not to be level, since you already have level field. Lets say you would call it asr_level.
Add the relevant mutate at the end of you conf file.
mutate {
replace => [ "instance_info", "%{instance_info} %{asr_level}" ]
}
mutate {
remove_field => ["asr_level", "nr"]
}
You can look at this google forum and https://discuss.elastic.co/t/want-to-combine-field-values-into-new-field-value/28564 for more details.
Good Luck
answered Nov 22 '18 at 16:04
Gal SGal S
757313
You are nearly there. All you have to do is use mutate/replace to combine the data you need and mutate/remove_filed to remove the unnecessary fields.
You need to change the ASR_INSTANCE_LVL field name not to be level, since you already have level field. Lets say you would call it asr_level.
Add the relevant mutate at the end of you conf file.
mutate {
replace => [ "instance_info", "%{instance_info} %{asr_level}" ]
}
mutate {
remove_field => ["asr_level", "nr"]
}
You can look at this google forum and https://discuss.elastic.co/t/want-to-combine-field-values-into-new-field-value/28564 for more details.
Good Luck
answered Nov 22 '18 at 16:04
Gal SGal S
757313
answered Nov 22 '18 at 16:04
Gal SGal S
757313
answered Nov 22 '18 at 16:04
Gal SGal S
757313
answered Nov 22 '18 at 16:04
Gal SGal S
757313
757313
Thank you, Gal! It works now: "instance_info" => "cli debug"
– Nicu Dumbraveanu
Nov 22 '18 at 16:58
@Nicu Great!...
– Gal S
Nov 22 '18 at 17:51
add a comment |
Thank you, Gal! It works now: "instance_info" => "cli debug"
– Nicu Dumbraveanu
Nov 22 '18 at 16:58
@Nicu Great!...
– Gal S
Nov 22 '18 at 17:51
Thank you, Gal! It works now: "instance_info" => "cli debug"
– Nicu Dumbraveanu
Nov 22 '18 at 16:58
Thank you, Gal! It works now: "instance_info" => "cli debug"
– Nicu Dumbraveanu
Nov 22 '18 at 16:58
@Nicu Great!...
– Gal S
Nov 22 '18 at 17:51
@Nicu Great!...
– Gal S
Nov 22 '18 at 17:51
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53431221%2flogstash-field-split-and-merge%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
