how do i split message into 2 properties based on one of 2 tokens?

Question

I think this is a simple case, but I have been having issues implementing it.

My input message is in the format: aaaaaaaaa;bbbbbbbbbb or aaaaaaa:bbbbbbb and what i was trying to do was to split on either of the colon or semicolon, and then assign them to key and value pairs.

I was doing 2 mutates but it was erroring on that when I ran some sample tests.

mutate{
  split => {
    "message" => ":"
  }
  add_field => {
    "key" => "%{[message][0]}"
    "value" => "%{[message][1]}"
  }
}
mutate{
  split => {
    "message" => ";"
  }
  add_field => {
    "key" => "%{[message][0]}"
    "value" => "%{[message][1]}"
  }
}

but i dont think that was right. I was then looking more into grok but wasnt sure if that was how it works.

Should I instead be doing:

filter {
  grok {
    match => { "message" => "%{key}:%{value}" }
  }
  grok {
    match => { "message" => "%{key};%{value}" }
  }
}

score 1 · Accepted Answer · answered Aug 11 '19 at 11:46

1

I would do that using grok. Try this:

grok { match => { "message" => "%{DATA:field1}[:;]%{GREEDYDATA:field2}" } }

answered Aug 11 '19 at 11:46

Badger

3,943
2
6
17

ill take a look as see if that works. I was not sure if the match string was a regex or if there are specific conditions for it. Ill check it out and then get back to you. :) – Fallenreaper Aug 11 '19 at 20:54

how do i split message into 2 properties based on one of 2 tokens?

1 Answers1