devlatte · April 13, 2017 06:11
diff --git a/logstash_split_regexp.conf b/logstash_split_regexp.conf
 filter{
    ruby {
        code => "event.set('message', event.get('message').split(/\001\s+/, -1)); event.set('@timestamp', LogStash::Timestamp.now)"
        add_field => {
            "time" => "%{[message][0]}"
            "level" => "%{[message][1]}"
            "thread" => "%{[message][2]}"
            "msg" => "%{[message][3]}"
            "location" => "%{[message][4]}"
            "stacktrace" => "%{[message][5]}"
        }
        remove_field => ["message"]
    }
 }

 # split second param -1 for empty string
 # this might be grok filter usage, but just split and no PATTERN use
 # event.set('@timestamp', LogStash::Timestamp.now) for replace filebeat @timestamp with logstash processed time
	filter{
	ruby {
	code => "event.set('message', event.get('message').split(/\001\s+/, -1)); event.set('@timestamp', LogStash::Timestamp.now)"
	add_field => {
	"time" => "%{[message][0]}"
	"level" => "%{[message][1]}"
	"thread" => "%{[message][2]}"
	"msg" => "%{[message][3]}"
	"location" => "%{[message][4]}"
	"stacktrace" => "%{[message][5]}"
	}
	remove_field => ["message"]
	}
	}

	# split second param -1 for empty string
	# this might be grok filter usage, but just split and no PATTERN use
	# event.set('@timestamp', LogStash::Timestamp.now) for replace filebeat @timestamp with logstash processed time