Changing the key of kv outout

sahere37 · July 11, 2024, 7:25am

hi , I have below kv filter in my logstash conf file

kv {
       field_split => " "
       value_split => "=""


   }

and my data is as bellow:

<12>d=2024-07 T=12:13 P=h c=12
<13>d=2024-07 T=12:15 P=l c=17
<102>d=2024-07 T=12:16 P=m c=19

using kv filter, data can be separated as following (for example for line1)

"<12>d" => "2024-07"
"T" => "12:13"
"P" => "h"
"c" => "12"

I want to define a unique name for the first fields of each line ( <12>d, <13>d, <102>d) as "date", how can i change the key name of kv output?

leandrojmp · July 11, 2024, 12:39pm

Can you share your entire pipeline?

It is way easier to remove the <XXX> part before the kv filter, you can do that with a dissect filter.

dissect {
    mapping => {
        "message" => "<%{}>%{message}"
    }
}

This will overwritte your message field with just the kv part of the message.

Topic		Replies	Views
Fields splitting from kv filter not containing blank values Logstash	3	383	January 9, 2020
Key value pair Logstash	2	1760	February 4, 2019
Using KV filter Logstash	4	951	July 6, 2017
Logstash filtering Logstash	9	325	April 26, 2019
Question on kv filter Logstash	2	263	January 31, 2023