Dissect filter - Empty data between delimiter: unexpected behavior

tvdruenen · March 11, 2020, 3:31pm

I have the following dissect config:

if "log" in [tags] {
  dissect {
    mapping => {
      "message" => "%{Accept_Encoding}|%{Accept_Language}|'%{Cipher_Version}'"
    }
  }
}

If I send:
"gzip|en|'TLSv1.2'"

I'll get (as expected):

{
  "Accept_Encoding": "gzip",
  "Accept_Language": "en",
  "Cipher_Version": "TLSv1.2"
}

If I send:
"gzip||TLSv1.2"

I'll get (as expected):

{
  "Accept_Encoding": "gzip",
  "Cipher_Version": "TLSv1.2"
}

But.. If I send:
"|en|TLSv1.2"

So my message starts with a delimiter, my complete message is screwed up and enters Elasticsearch as something like:

{
  "Cipher_Version": "|en|TLSv1.2"
}

Is this expected behavior?

If so, it would be nice to add to the documentation that using the Logstash delimiter filter you must always be sure your first value is filled.

system · April 8, 2020, 3:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why is my logstash skipping delimiter in dissect mapping? Logstash	2	313	August 27, 2018
Help using logstash dissect filtering Logstash	3	325	June 18, 2019
Logstash Dissect Filter - Multiple Delimiters? Logstash	1	798	December 4, 2018
Understanding dissect behaviour Logstash	8	837	September 30, 2019
Logstash filtr strange behavior Logstash	17	595	September 8, 2020