The context is logstash and bro http logs.
Both logstash and bro are minimally configured, just enough to test. Bro is generating tsv files and logstash is using the csv filter to process.
In testing, logstash ocasionally throws _csvparsefailure errors. Through the process of elimination, I have determined that a double-quote character embedded in a field triggers the _csvparsefailure. The parse error occurs ONLY and ALWAYS when a Bro field contains a double-quote. Single quotes are fine.
The logstash message field shows what looks like correctly escaped quotes:
&_cvar={"1":["service","fqdn"]}
Bro has this:
&_cvar=%7B%221%22%3A%5B%22service%22%2C%22fqdn%22%5D%7D
Aside from modifying the input data (which just seems wrong), is there another solution/work-around? I have tried explicitly setting quote_char to something else, but I have not found a valid character that does not occur in some log entry.
Thanks,
David