Logstash Grok Filter Spit and put in seperate buckets in Elastic Index

Question

Hi I have a log line say like"APPLE" AND "BANANA" AND "MANGO" OR "GRAPES"

I want it to mutate like and split to put in elastic , so elastic should have a equivalent as

options{
    fruits :{
        'APPLE','BANANA','MANGO','GRAPES'
    },
    operators{
        'AND' ,'AND','OR'
    }
}

Is it possible to apply split and put under separate buckets as fruits and operators.

In real scenario Grok = `%{WORD:LEVEL}%{SPACE}\[%{GREEDYDATA:ts}\]%{SPACE}\<%{NUMBER:threadNo}\>%{SPACE}\<%{IP:ip}\,%{GREEDYDATA:UID}\,%{GREEDYDATA:user}\,%{NUMBER:num_1}\,%{NUMBER:num_2}\,%{GREEDYDATA:msg1}\,%{GREEDYDATA:msg2}\,\(\(fruits\:\(%{GREEDYDATA:fruits}\)\)\)\,%{NUMBER:num_3}\,%{NUMBER:num_4}\>` Sample Log Line `STATUS [06/23 01:00:06.629] <45> <10.51.4.5,0e5a963a-2983-4e4b-98a5-839a0c4d826f_,USER1,45,0,,,((fruits:("apple" AND "GUAVA"))),1,2> ` and in conf if I add a mutate on fruits `mutate { split => [ "fruits", " " ] }` — Kumar Pallav, Jun 24 '15 at 11:14
In Elastic for above I get In elastic I get `"fruits": [ ""apple"" , "AND" , ""banana"" ]` — Kumar Pallav, Jun 24 '15 at 11:17

score 0 · Answer 1 · answered Jun 24 '15 at 16:01

0

If the problem is "quoted string followed by unquoted string, repeating", I would drop into a ruby{} filter, split on space, examine each word to determine if it's quoted or not, and process as needed.

If not, please expand on your question.

answered Jun 24 '15 at 16:01

Alain Collins

16,268
2
32
55

Logstash Grok Filter Spit and put in seperate buckets in Elastic Index

1 Answers1