I think this is a simple case, but I have been having issues implementing it.
My input message is in the format: aaaaaaaaa;bbbbbbbbbb or aaaaaaa:bbbbbbb and what i was trying to do was to split on either of the colon or semicolon, and then assign them to key and value pairs.
I was doing 2 mutates but it was erroring on that when I ran some sample tests.
mutate{
split => {
"message" => ":"
}
add_field => {
"key" => "%{[message][0]}"
"value" => "%{[message][1]}"
}
}
mutate{
split => {
"message" => ";"
}
add_field => {
"key" => "%{[message][0]}"
"value" => "%{[message][1]}"
}
}
but i dont think that was right. I was then looking more into grok but wasnt sure if that was how it works.
Should I instead be doing:
filter {
grok {
match => { "message" => "%{key}:%{value}" }
}
grok {
match => { "message" => "%{key};%{value}" }
}
}
I would do that using grok. Try this:
grok { match => { "message" => "%{DATA:field1}[:;]%{GREEDYDATA:field2}" } }