This is the field
device_version => 2.6.1.1280 [eng:v1.3.26.0 rul:v2018.07.12.09 act:v2018.01.20.01 sws:v2018.07.12.09]
How can I get eng, and rul ... value and put them individually to a new field?
Thanks
If you just want to match eng and rul value, you can simple match them using %{DATA},
eng:%{DATA:eng}\srul:%{DATA:rul}\s
This will output,
{
"eng": [
[
"v1.3.26.0"
]
],
"rul": [
[
"v2018.07.12.09"
]
]
}
You can test it at https://grokdebug.herokuapp.com/
Edit:
filter {
grok {
match => { "device_version" => "eng:%{DATA:eng}\srul:%{DATA:rul}\s" }
}
}
You should also have a look at default grok patterns available, https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns