Additional // are seen in parsed message after logstash parsed syslog event

gaurav1424 · February 11, 2016, 6:28pm

Hello All,

This is my input string : SECU "OTN2.LAB":SHELF-1 001328 SHELF-1:16-02-05,00-15-00

And output parsed message looked like this :
"syslog_message" => "SECU \"OTN2.LAB\":SHELF-1 001328

Here is my filter looks like :
filter {
grok {
match => { "message" => "<[0-9]*>%{CIENA_TIMESTAMP:ciena_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}"}

  remove_field => ["@version", "host", "message", "port"]
}

date {
  target => "@timestamp"
  match => [ "ciena_timestamp",
             "MMM  d HH-mm-ss",
             "MMM dd HH-mm-ss" ]
  timezone => "UTC"
}

}

Question is : From were its adding unwanted "//" in the parsed message. I dont want them to be present in my parsed message.

Thanks for your help.

gaurav1424 · February 12, 2016, 1:38am

Any reply on this one ?

magnusbaeck · February 12, 2016, 6:44am

This is my input string : SECU "OTN2.LAB":SHELF-1 001328 SHELF-1:16-02-05,00-15-00

And output parsed message looked like this :
"syslog_message" => "SECU \"OTN2.LAB\":SHELF-1 001328

It looks like you have literal backslashes in your input. Logstash uses C-like escape sequences so any backslash will be written as two backslashes in a double-quoted string like the one above (presumably from a stdout { codec => rubydebug } output.

Any reply on this one ?

Volunteers respond to questions here so please allow for reasonable response times. Seven hours isn't reasonable. If you want quick response times there are paid support options.