Dissect filter special character "\" "<"

I'm trying to use the best of dissect, unfortunately i have encounter small problem with special characters like "" or "<"
For example:
<14>Jan 9 15:36:03
When i'm parsing this log with fields, i wan't to exclude "<14" and "domain_name\" in the example above.
Do you have any idea how to do this?

As far as dissect is concerned, the only special characters are %{ and }. So if you have a string such as

<14>Jan 9 15:36:03 and domain_name\username and so on

You can dissect it using

dissect { mapping => { "message" => "<%{a}>%{ts} %{+ts} %{+ts} and %{d}\%{u} %{}" } }

Thank you that obviously works :slight_smile:

But that creates new question, how to change this parser if there is no domain and username field, its empty, now I have _dissectfailure tag :frowning:
I believe its because of the "" character

As the documentation says, you might need to test the format of the string is appropriate for the dissection before dissecting.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.