I have the following dissect config:
if "log" in [tags] {
dissect {
mapping => {
"message" => "%{Accept_Encoding}|%{Accept_Language}|'%{Cipher_Version}'"
}
}
}
If I send:
"gzip|en|'TLSv1.2'"
I'll get (as expected):
{
"Accept_Encoding": "gzip",
"Accept_Language": "en",
"Cipher_Version": "TLSv1.2"
}
If I send:
"gzip||TLSv1.2"
I'll get (as expected):
{
"Accept_Encoding": "gzip",
"Cipher_Version": "TLSv1.2"
}
But.. If I send:
"|en|TLSv1.2"
So my message starts with a delimiter, my complete message is screwed up and enters Elasticsearch as something like:
{
"Cipher_Version": "|en|TLSv1.2"
}
Is this expected behavior?
If so, it would be nice to add to the documentation that using the Logstash delimiter filter you must always be sure your first value is filled.