Logstash Split Filter Plugin

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Use Case Common Issues and Best Practices Frequently Asked Questions

The Split filter plugin in Logstash is used to divide a single event containing multiple lines or entries into separate events. This is particularly useful when processing logs that contain multi-line records, such as stack traces or structured data, where each line or entry should be treated as an individual event for further processing or analysis.

Syntax

The basic syntax for the Split filter plugin is:

split {
  field => "fieldname"
  terminator => "delimiter"
}

For detailed configuration options, refer to the official Logstash Split filter plugin documentation.

Example Use Case

Consider a log file containing JSON arrays, where each array represents multiple related events:

{"events": [{"id": 1, "message": "Event 1"}, {"id": 2, "message": "Event 2"}]}
{"events": [{"id": 3, "message": "Event 3"}, {"id": 4, "message": "Event 4"}]}

To split these into individual events, you can use the Split filter like this:

filter {
  json {
    source => "message"
  }
  split {
    field => "events"
  }
}

This configuration will create separate events for each item in the "events" array.

Common Issues and Best Practices

  1. Performance Impact: Splitting large events can impact performance. Use judiciously and monitor system resources.
  2. Order Preservation: The Split filter maintains the original event order, which can be important for time-series data.
  3. Nested Splitting: Be cautious when splitting nested fields, as it may lead to unexpected results.
  4. Metadata Handling: Consider how metadata should be handled when splitting events. You may need to copy or modify metadata for the new events.

Frequently Asked Questions

Q: Can the Split filter handle multi-character delimiters?
A: Yes, the Split filter can use multi-character delimiters. Set the terminator option to the desired delimiter string.

Q: How does the Split filter affect event timestamps?
A: By default, all split events inherit the timestamp of the original event. You can modify this behavior using the @timestamp field if needed.

Q: Is it possible to limit the number of splits performed on an event?
A: Yes, you can use the limit option to specify the maximum number of splits to perform on an event.

Q: Can I split an event based on a regular expression instead of a fixed delimiter?
A: The Split filter doesn't directly support regex-based splitting. However, you can use the Ruby filter in combination with Split for more complex splitting logic.

Q: How does the Split filter handle empty fields or delimiters?
A: If the specified field is empty or the delimiter is not found, the Split filter will not create any new events, and the original event will pass through unchanged.

Pulse - Elasticsearch Operations Done Right

Pulse can solve your Elasticsearch issues

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.