0

I'm relatively new to ELK and grok. I'm trying to parse a log file that may contain 1 or more repetitions of the same value. For example the log file could contain:

value1;value2;value3;

value1;

value1;value2;value3;value4;........value900;

For this example, I'm using the following grok pattern:

((?[a-z0-9]*)[;])+

This appears to work properly, and parse each value. The problem is that the "tag" field only contains the last value (ie value900). All of the previous values seem to be overwritten.

Is there a way to gather all of the values and store them into an array instead of only getting the last value?

user3597725
  • 18
  • 4

1 Answers1

1

Simply use mutate:

mutate {
  split => ["tag",";"]
}

This will split the value that's in the tag field into an array. So just match the whole string in your grok ((?<tag>[a-z0-9;]+) and then split it from there.

Alcanzar
  • 16,985
  • 6
  • 42
  • 59
  • Thanks. Very simple. Do you know how to handle it if there are multiple variables that are being repeated instead of just one? IE (name;age;gender;name;age;gender). Splitting this would store all of these into one variable. Any ideas on splitting them into multiple variables? – user3597725 Apr 17 '15 at 16:39
  • not quite sure I understand the question. Are you saying you can classify them based on their name into different buckets? You can do just about anything you want to do with a ruby filter. You could take that "tag" field and iterate over it sorting it into X pilese based on some creteria you define in your code. – Alcanzar Apr 17 '15 at 18:14