Logstash - Split characters in string into 2 fields

0
votes

I have Logstash reading in a CSV file, which contains a field my_id, and is an 8-digit string made up of numbers.

I'd like the output file to have 2 fields in place of my_id. One named id_start which will be the first 6 digits and id_end which will be the last 2 digits.

example: my_id: 12345678 would become id_start: 123456 and id_end: 78

I'm very new to Logstash but I've been reading around and I think I need to use a grok filter to do this - my attempt to create the first field so far has not worked:

filter {
  grok {
    match => ["id_start", "(?<my_id>.{6})"]
  }
}

I'm also finding it quite hard to find good examples on this sort of thing, so any help would be appreciated!

2
logstashlogstash-grok

2 Answers

1
votes

You can use ruby filter and write custom ruby code like: 

filter {
  ruby {
    code => "
        event['id_start'] = event['my_id'][0..6]
        event['id_end'] = event['my_id'][6..8]
        "
  }
}
0
votes

This is different for Logstash 5.x+, they have implemented getters and setters and restricted access to the variables.

ruby {
  code => "
      event.set('[id_start]', event.get('[my_id]')[0..6])
      event.set('[id_end]', event.get('[my_id]')[6..8])
      "
}