Logstash - using a split mutat

Question

Logstash - using a split mutat

I am trying to use a mutate filter using the split method to extract a portion of a field received by a json filter. But I haven't found how to use the split result. Here's my boolean config (only the simple json part works well):

filter {
        if [type] == "phperrors" {
                json {
                        source => "message"
                        target => "phperror_log"
                        remove_field => "message"
                        add_tag => [ "php", "error" ]
                }
                mutate {
                        split => ["[phperror_log][server]", "."]
                        #if [phperror_log][server][1] {
                                add_field => [ "pop", "%{[phperror_log][server][1]}" ]
                        #}
                }
        }
}

As I said, the json part works well and the phperror_log.server field exists (and this value is similar to node01.ny or node01.par or node02).

But all I want is to create a new field if the split creates an array of two fields, and I assume that I am not doing the right thing with my [phperror_log] [server] [1].

Do you have any hints, tips or tricks for dealing with this kind of use case?

Thank you in advance

edit: I edit with conf which should work with the section ... however if is not ok

Last edit with good conf according to tips and tricks from Alain:

filter {
        if [type] == "phperrors" {
                json {
                        source => "message"
                        target => "phperror_log"
                        remove_field => "message"
                        add_tag => [ "php", "error" ]
                }
                if [phperror_log][server] =~ /\./ {
                        mutate {
                                split => ["[phperror_log][server]", "."]
                                add_field => [ "pop", "%{[phperror_log][server][1]}" ]
                                add_field => [ "errorhost", "%{[phperror_log][server][0]}" ]
                        }
                } else {
                        mutate {
                                add_field => [ "pop", "not defined" ]
                                add_field => [ "errorhost", "%{[phperror_log][server]}" ]
                        }
                }
                mutate {
                        remove_field => [ "[phperror_log][server]" ]
                }
        }
}

+3

split filter logstash

Labynocle 30 oct. 14 at 18:24

source to share

1 answer

Alain collins · Accepted Answer · 2014-10-30T20:24:40+0000

After splitting "node01.ny" your field will be ["node01", "ny"]. Your example doesn't really show what you want to do with those split values, but basic would be to see if the value is contained in the array:

if "ny" IN [phperror.server] {
}

Note that add_field is only triggered if the filter was successful. This way you don't have to check the array before adding the field.

However, the split will only work if the field contains "." You can conditionally:

if phperror.server =~ /\./ {
  mutate {
     add_field => [ "hey", "i saw a period" ] 
  }
}

For example, you can indicate that you want to remove part of the original field's value. Try gsub:

gsub => [ "phperror.server", "\..*", "" ]

This will delete everything after the "."

Hope it helps.

Logstash - using a split mutat

More articles: