Changing the key of kv outout

Elastic Stack Logstash
1

hi , I have below kv filter in my logstash conf file

kv {
       field_split => " "
       value_split => "=""


   }

and my data is as bellow:

<12>d=2024-07 T=12:13 P=h c=12
<13>d=2024-07 T=12:15 P=l c=17
<102>d=2024-07 T=12:16 P=m c=19

using kv filter, data can be separated as following (for example for line1)

"<12>d" => "2024-07"
"T" => "12:13"
"P" => "h"
"c" => "12"

I want to define a unique name for the first fields of each line ( <12>d, <13>d, <102>d) as "date", how can i change the key name of kv output?

2

Can you share your entire pipeline?

It is way easier to remove the <XXX> part before the kv filter, you can do that with a dissect filter.

dissect {
    mapping => {
        "message" => "<%{}>%{message}"
    }
}

This will overwritte your message field with just the kv part of the message.

1 Like