CODEWITHSUNDEEP
elasticsearchlogstashlogstash-configuration
Herry
Herry

Reputation: 33

Logstash - find length of split result inside mutate

I'm newbie with Logstash. Currently i'm trying to parse a log in CSV format. I need to split a field with whitespace delimiter, then i'll add new field(s) based on split result.

Here is the filter i need to create:

filter {
...
mutate {
    split => ["user", " "]
    if [user.length] == 2 {
        add_field => { "sourceUsername" => "%{user[0]}" }
        add_field => { "sourceAddress" => "%{user[1]}" }
    }
    else if [user.length] == 1 {
        add_field => { "sourceAddress" => "%{user[0]}" }
    }
}
...
}

I got error after the if script. Please advice, is there any way to capture the length of split result inside mutate plugin.

Thanks, Heri

Upvotes: 3

Views: 2534

Answers (1)

hurb
hurb

Reputation: 2217

According to your code example I suppose that you are done with csv parsing and you already have a field user which has either a value that contains a sourceAddress or a value that contains a sourceUsername sourceAddress (separated by whitespace).

Now, there are a lot of filters that can be used to retrieve further fields. You don't need to use the mutate filter to split the field. In this case, a more flexible approach would be the grok filter.

Filter:

grok {
    match => {
        "user" => [ 
            "%{WORD:sourceUsername} %{IP:sourceAddress}",
            "%{WORD:sourceUsername}"
            ]
    }
}

A field "user" => "192.168.0.99" would result in

"sourceAddress" => "191.168.0.99".

A field "user" => "Herry 192.168.0.99" would result in

"sourceUsername" => "Herry", "sourceAddress" => "191.168.0.99"

Of course you can change IP to WORD if your sourceAddress is not an IP.

Upvotes: 2

Related Questions