home docs about cookbook bugs

split

Status: beta

The split filter is for splitting multiline messages into separate events.

An example use case of this filter is for taking output from the 'exec' input which emits one event for the whole output of a command and splitting that output by newline - making each line an event.

The end result of each split is a complete copy of the event with only the current split section of the given field changed.

Synopsis

This is what it might look like in your config file: 
filter {
  split {
    add_field => ... # hash (optional), default: {}
    add_tag => ... # array (optional), default: []
    field => ... # string (optional), default: "@message"
    tags => ... # array (optional), default: []
    terminator => ... # string (optional), default: "\n"
    type => ... # string (optional), default: ""
  }
}

Details

add_field

  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Example:

filter {
  myfilter {
    add_field => [ "sample", "Hello world, from %{@source}" ]
  }
}

On success, myfilter will then add field 'sample' with the value above and the %{@source} piece replaced with that value from the event.

add_tag

  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  myfilter {
    add_tag => [ "foo_%{somefield}" ]
  }
}

If the event has field "somefield" == "hello" this filter, on success, would add a tag "foo_hello"

field

  • Value type is string
  • Default value is "@message"

The field which value is split by the terminator

tags

  • Value type is array
  • Default value is []

Only handle events with all of these tags. Note that if you specify a type, the event must also match that type. Optional.

terminator

  • Value type is string
  • Default value is "\n"

The string to split on. This is usually a line terminator, but can be any string.

type

  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this filter will only act on messages with the same type. See any input plugin's "type" attribute for more. Optional.

This is documentation from lib/logstash/filters/split.rb

Hello! I'm your friendly footer. If you're actually reading this, I'm impressed.