Agent processor dissect question

rugenl · December 11, 2025, 5:11pm

I have an integration using Custom Logs with a processor using this dissect:

- dissect:

 tokenizer: "%{date} %{time} %{action} %{protocol} %{src-ip} %{dst-ip} %{src-port} %{dst-port} %{size} %{tcpflags} %{tcpsyn} %{tcpack} %{tcpwin} %{icmptype} %{icmpcode} %{info} %{path} %{pid}"

 field: "message"

 target_prefix: ""

In one log, the last field (pid) is missing so nothing is dissected.

The ignore_missing looks like it would handle “message” missing, but I don’t see an option to tolerate a short message. Is there a way to tolerate a short message?

Thanks.

(Yes, it could be changed to an ingest pipeline, but this was a simple solution, till it wasn’t)

leandrojmp · December 11, 2025, 5:25pm

No, dissect requires that the message matches the pattern, if the message does not match, it will fail.

But, if I'm not wrong it can have more tokens, just not less tokens.

Since your case what is missing is the last token, maybe you can use a different pattern and capture the path and pid together and process them later in different ways depending if the pid is present or not.

Something like this I think:

"%{date} %{time} %{action} %{protocol} %{src-ip} %{dst-ip} %{src-port} %{dst-port} %{size} %{tcpflags} %{tcpsyn} %{tcpack} %{tcpwin} %{icmptype} %{icmpcode} %{info} %{path_and_pid}

Topic		Replies	Views
DISSECT FILTER, field not always specified Logstash	5	1650	July 10, 2017
Ingest Pipeline Dissect Pattern unable to match Append modifiers Elasticsearch ingest-pipeline	5	326	October 10, 2023
Dissect field with unknown length? Logstash	3	478	August 31, 2019
Multiple patterns for dissect processor in the pipeline Elasticsearch	5	981	June 2, 2023
Optional field in dissect plugin Logstash	2	3027	October 31, 2018

Agent processor dissect question

Related topics