I cannot see why this isn't working (other event fields removed for clarity).
Dissector mapping, pattern not found {"field"=>"message", "pattern"=>" [%{level->}] %{}", "event"=>{"message"=>" [WARNING ] Test"}}
I think the problem is that there is nothing to tell dissect that -> refers to one or more spaces.
" [%{level->} ]%{}" will match ' [WARNING ] ] ]Test'
From the documentation:
Note, above, the second field has a
->suffix which tells Dissect to ignore padding to its right.
Surprising! Theoretically it should work. Is there a need to escape the square brackets?
Yes, but the delimiter to its right is a square bracket, not a space.
I don't think you understand what padding means.
It's supposed to capture everything up to the ] delimiter, then rtrim the result.
I don't think you understand what padding means.
" [%{level->}]%{}"
will match multiple right delimiters. The RHS delimiter here is ], so it matches
' [WARNING]]]Test'
For the pattern
" [%{level->}] %{}"
The RHS delimiter is '] ', so it will match
' [WARNING] ] Test'If that's true then it's really badly documented.
How are you supposed to dissect a space-padded field within some delimiters then?
The delimiter is all the characters between the } and the next %{. The -> modifier will skip through repeating occurrences of these characters. So a single space character will skip multiple single spaces, a two space delimiter will skip multiple double spaces etc.
I think you have to grok it rather than dissect it.
or accept the spaces and use another dissect pattern on the field
message => "[%{field_w_spaces}] %{rest}"
then field_w_spaces => "%{field->} %{}" and remove_field => ["field_w_spaces"]
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.