guyboertje
commented
6 years ago The problem here is an undocumented requirement that only free standing numbers will be extracted. Free standing in this case means that there is whitespace on either side of the number in the string.
Based on your sample you should make a copy and mutate/gsub the = and | characters with spaces on the copy and then try the extractnumbers filter on the copy.
The Ruby test shows this: https://github.com/logstash-plugins/logstash-filter-extractnumbers/blob/master/spec/filters/extractnumbers_spec.rb#L16
I am using Logstash 5.2.0 and I am used logstash-filter-extractnumbers v3.0.0 . I didn't see it extracted the numbers from the string , then I updated the filter plugin to v3.0.3 still I didn't see the number getting extracted into any new fields.
My log pattern Dec 20 00:00:01|qmngr=ESBBKD3|cmd=DIS_CONN|total_threads=342|1DDSUPPORT.CLNTCHL=29|CC.CLNTCHL=40|CCON.CLNTCHL=9|CPD.CLNTCHL=69|DPMS.CLNTCHL=24|FLEET.CLNTCHL=15|ICEDPUSER.CLNTCHL=85|LSTRS.CLNTCHL=40|MQTOOL.CLNTCHL=4|RMD.CLNTCHL=8|SIMSSUPPORT.CLNTCHL=26|STEM.CHANNEL.SYNCQ=1|SXM.CLNTCHL=24|SYSTEM.ADMIN.SVRCONN=4|TESS.CLNTCHL=38|TFS.CLNTCHL=2|TONO.CLNTCHL=3|TSC.CLNTCHL=3|VROR.SVRCONN=41|
Logstash.conf input { beats { port => 7687 }
}
filter{ extractnumbers{ source => "message" }
kv{ allow_duplicate_values => false field_split => "|" }
}
Please let me know is anything I need to add in my config.