Reputation: 135
Logstash filter - name fields dynamically
I've got log lines in the following format and want to extract fields:
"field1" => "content1","field2" => "content2",field3" => "content3",...
I neither know the field names, nor the number of fields.
I tried it with ruby but got errors:
Error: Expected one of #, {, } at line 8, column 51 (byte 113) after filter { ruby { code => " fieldArray = event['message'].split('"
my conf are as follows,
input {
stdin {}
}
filter {
ruby {
code => "
fieldArray = event['message'].split('", "')
for field in fieldArray
field = field.delete '",'
field = field.delete '"'
result = field.split(': ')
event[result[0]] = result[1]
end
"
}
}
output {
stdout {
codec => rubydebug
}
}
please tell me how to fix these errors?
Thanks for your help.
Upvotes: 0
Views: 555
Answers (1)
Reputation: 16362
The ruby problem is because you have double-quotes inside your code. Since you're using double-quotes to surround the entire code block, you can't use them inside. I would imagine that escaping them would work.
You might also look into the kv{} filter, which typically handles such fields with ease. If not, convert the "=>" to ":" with mutate->gsub and try the json{} filter.
Upvotes: 0
Related Questions
- Logstash grok filter - name fields dynamically
- logstash filter docker container name
- Parsing JSON event in Logstash
- Chart multipile fields in Kibana
- Logstash json filter parsed fields cannot be read within logstash
- logstash name fields dynamically
- Logstash ruby filter and event fields
- Using Logstash Ruby filter to parse csv file