Dissect filter - Empty data between delimiter: unexpected behavior

tvdruenen · March 11, 2020, 3:31pm

I have the following dissect config:

if "log" in [tags] {
  dissect {
    mapping => {
      "message" => "%{Accept_Encoding}|%{Accept_Language}|'%{Cipher_Version}'"
    }
  }
}

If I send:
"gzip|en|'TLSv1.2'"

I'll get (as expected):

{
  "Accept_Encoding": "gzip",
  "Accept_Language": "en",
  "Cipher_Version": "TLSv1.2"
}

If I send:
"gzip||TLSv1.2"

I'll get (as expected):

{
  "Accept_Encoding": "gzip",
  "Cipher_Version": "TLSv1.2"
}

But.. If I send:
"|en|TLSv1.2"

So my message starts with a delimiter, my complete message is screwed up and enters Elasticsearch as something like:

{
  "Cipher_Version": "|en|TLSv1.2"
}

Is this expected behavior?

If so, it would be nice to add to the documentation that using the Logstash delimiter filter you must always be sure your first value is filled.

system · April 8, 2020, 3:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.