# Dissect with a backslash at the end of the log line

Hi,
I'm having a log (from EMC Celerra) that ends with a backslash like this:
`<event_source>:<severity>:<id> daemon \`

I'm trying this dissect:
dissect {
mapping => { "message" => "%{event_source}:%{severity}:%{id} daemon \" }
}
but it won't work.
The \ anywhere in the string does work, but at the end it's considered to be escaping the " I guess.
And a double \\ won't work either.

How should I proceed?
Thanks a lot in advance for your help!

Vincent

Take a look at this issue, which I think applies to strings in general, not just regexps. The workaround is setting config.support_escapes

Thank you @Badger
I enabled this setting, although i didn't read the scope of it (does it apply to the input-generator-message field? to the filter-dissect-mapping string?)
it's working when i set \\ in the middle of the string, but i'm still not able to test it at the end of the string.
See my test config:

``````input {
generator {
count => 1
message => "Bla %stuff \"January\", 15 2019 ['83.202.178.93'] and just testing spaces before an anchor and others after plus all the end\\"
}
}

filter {
dissect {
mapping => { "message" => "Bla %stuff \"%{month}\", %{day} %{year} ['%{devicehostip}'] and %{fld} an anchor and %{fld2} plus %{message}\\" }
}
}

output {
stdout {
codec => rubydebug
}
}``````

It should apply to the whole configuration. I agree that it does not seem to help here. Time for an ugly hack

``````mutate { gsub => [ "message", "\$", " " ] }
``````

Then add a space after the \ in your dissect mapping

1 Like

Thanks @Badger
It's a quick hack indeed!
I hope this issue will be fixed soon

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.