Hi,
I'm having a log (from EMC Celerra) that ends with a backslash like this:
<event_source>:<severity>:<id> daemon \
I'm trying this dissect:
dissect {
mapping => { "message" => "%{event_source}:%{severity}:%{id} daemon \" }
}
but it won't work.
The \ anywhere in the string does work, but at the end it's considered to be escaping the " I guess.
And a double \\ won't work either.
How should I proceed?
Thanks a lot in advance for your help!
Vincent
Take a look at this issue, which I think applies to strings in general, not just regexps. The workaround is setting config.support_escapes
Thank you @Badger
I enabled this setting, although i didn't read the scope of it (does it apply to the input-generator-message field? to the filter-dissect-mapping string?)
it's working when i set \\ in the middle of the string, but i'm still not able to test it at the end of the string.
See my test config:
input {
generator {
count => 1
message => "Bla %stuff \"January\", 15 2019 ['83.202.178.93'] and just testing spaces before an anchor and others after plus all the end\\"
}
}
filter {
dissect {
mapping => { "message" => "Bla %stuff \"%{month}\", %{day} %{year} ['%{devicehostip}'] and %{fld} an anchor and %{fld2} plus %{message}\\" }
}
}
output {
stdout {
codec => rubydebug
}
}It should apply to the whole configuration. I agree that it does not seem to help here. Time for an ugly hack
mutate { gsub => [ "message", "$", " " ] }
Then add a space after the \ in your dissect mapping 
Thanks @Badger
It's a quick hack indeed!
I hope this issue will be fixed soon 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.