Dissect filter - Empty data between delimiter: unexpected behavior

tvdruenen · March 11, 2020, 3:31pm

I have the following dissect config:

if "log" in [tags] {
  dissect {
    mapping => {
      "message" => "%{Accept_Encoding}|%{Accept_Language}|'%{Cipher_Version}'"
    }
  }
}

If I send:
"gzip|en|'TLSv1.2'"

I'll get (as expected):

{
  "Accept_Encoding": "gzip",
  "Accept_Language": "en",
  "Cipher_Version": "TLSv1.2"
}

If I send:
"gzip||TLSv1.2"

I'll get (as expected):

{
  "Accept_Encoding": "gzip",
  "Cipher_Version": "TLSv1.2"
}

But.. If I send:
"|en|TLSv1.2"

So my message starts with a delimiter, my complete message is screwed up and enters Elasticsearch as something like:

{
  "Cipher_Version": "|en|TLSv1.2"
}

Is this expected behavior?

If so, it would be nice to add to the documentation that using the Logstash delimiter filter you must always be sure your first value is filled.

system · April 8, 2020, 3:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why is my logstash skipping delimiter in dissect mapping? Logstash	2	313	August 27, 2018
Help using logstash dissect filtering Logstash	3	325	June 18, 2019
Logstash Dissect Filter - Multiple Delimiters? Logstash	1	799	December 4, 2018
Repeated delimiters with dissect , how to handle? Logstash	5	2611	July 27, 2017
Understanding dissect behaviour Logstash	8	844	September 30, 2019