Pipeline - Split and Extract

panklit · 2018-02-08 13:09:36 UTC

Hi there,

i’m stuggeling with one of my input.

I’m getting the logs in this format, semicolons are everytime the same amount:

2018-02-08;13:19:44.489;INFORMATION;;;;2288;ReadPolicy: Configuration value read from INI file: StreamingExclusionList+=<!ctx_roamingappdata!\Microsoft\SystemCertificates>

Now i would like to extract all values between the semicolons in seperate field, but i dont know how i should use the split function corectly

I tried: split(".*",";");

Thanks and regards, Raphael

jochen · 2018-02-08 13:29:29 UTC

What would you expect as a result of that function invocation?

If the message has the same schema every time, you could use a Grok pattern to split it into the desired fields.

panklit · 2018-02-08 13:45:45 UTC

I would like to split every part of that line into an seperate field (seperated by the semicolon)

Havent worked with GROK yet

jochen · 2018-02-08 15:41:24 UTC

And what would the respective field name be for each field?

panklit · 2018-02-09 09:00:20 UTC

Date,Time,Type,Name, Domain,User,ID,Action,Message something like that

jochen · 2018-02-09 09:44:38 UTC

And how would you assign these field names and values without a proper mapping?

That mapping could be done (implicitly) via Grok patterns or a regular expression with named groups.

system · 2018-02-23 09:45:02 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.