Parsing dynamically using Logstash

Question

Im trying to parse a dynamic text using logstash and i encounter this problem:

For example, take a look at this text:

number(s) 1

In case i have only one number i can easily put it into a variable and the parsing would look like this:

grok {
   match => [ "message", "number(s) %{NUMBER:NumberValue}" ]
}

But how can i dynamically parse more than one number into the same variable(as a list of integers)? for example:

number(s) 1 2 3

Do you want to capture a list of integers, `[1, 2, 3]` or the string `"1 2 3"`? — Magnus Bäck, Jul 01 '15 at 11:06

score 0 · Answer 1 · answered Jul 01 '15 at 12:38

I don't think you can do this with a grok filter alone. The easiest way is probably to extract all integers into a space-separated string, split it with the mutate filter, and use the ruby filter to convert each element from a string to an integer.

filter {
  grok {
    match => ["message", "number\(s\) (?<numbers>\d+(?: \d+)*)"]
  }
  mutate {
    split => {
      "numbers" => " "
    }
  }
  ruby {
    code => "
      event['numbers'] = event['numbers'].collect { |i| i.to_i }
    "
  }
}

Parsing dynamically using Logstash

1 Answers1