Add support for multiple dissect patterns on a field like GrokΒ #56
Description
There are a few drivers for this.
People are familiar with this from Grok.
Beats and Ingest Node would like support Dissect style de-structuring.
Grok classifier in ML would like to support it.
It would simply some configs, see this for more info:
dissect {
mapping => {
"message" => "%{} %{message}"
}
}
if [message] =~ /^id/ {
dissect {
mapping => {
"message" => "id=%{imp_id} action=%{imp_action} wf=%{imp_wf} ip=%{imp_ip} from=%{imp_from} to=%{imp_to} %{message}"
}
}
if [message] =~ /size/ {
dissect {
mapping => {
"message" => "size=%{imp_size} filters=%{imp_filters}"
}
}
} else if [message] =~ /filters/ {
dissect {
mapping => {
"message" => "filters=%{imp_filters}"
}
}
}
} else if [message] =~ /^sid/ {
dissect {
mapping => {
"message" => "sid=%{imp_sid} ip=%{imp_ip} action=%{imp_action} wf=%{imp_wf} smpt=%{imp_smtp} %{message}"
}
}
}
To (suggestion):
dissect {
break_on_match => false
# cascading mutation of message field
mapping => {
"message" => [
"%{} %{message}",
"sid=%{imp_sid} ip=%{imp_ip} action=%{imp_action} wf=%{imp_wf} smpt=%{imp_smtp} %{message}"
"id=%{imp_id} action=%{imp_action} wf=%{imp_wf} ip=%{imp_ip} from=%{imp_from} to=%{imp_to} %{message}",
"size=%{imp_size} filters=%{imp_filters}",
"filters=%{imp_filters}"
]
}
}