Dissect with a backslash at the end of the log line

Hi,
I'm having a log (from EMC Celerra) that ends with a backslash like this:
<event_source>:<severity>:<id> daemon \

I'm trying this dissect:
dissect {
mapping => { "message" => "%{event_source}:%{severity}:%{id} daemon \" }
}
but it won't work.
The \ anywhere in the string does work, but at the end it's considered to be escaping the " I guess.
And a double \\ won't work either.

How should I proceed?
Thanks a lot in advance for your help!

Vincent

Take a look at this issue, which I think applies to strings in general, not just regexps. The workaround is setting config.support_escapes

Thank you @Badger
I enabled this setting, although i didn't read the scope of it (does it apply to the input-generator-message field? to the filter-dissect-mapping string?)
it's working when i set \\ in the middle of the string, but i'm still not able to test it at the end of the string.
See my test config:

input {
	generator {
		count => 1
		message => "Bla %stuff \"January\", 15 2019 ['83.202.178.93'] and just testing spaces before an anchor and others after plus all the end\\"
	}
}

filter {
	dissect {
		mapping => { "message" => "Bla %stuff \"%{month}\", %{day} %{year} ['%{devicehostip}'] and %{fld} an anchor and %{fld2} plus %{message}\\" }
	}
}

output {
  stdout {
    codec => rubydebug
  }
}

It should apply to the whole configuration. I agree that it does not seem to help here. Time for an ugly hack

mutate { gsub => [ "message", "$", " " ] }

Then add a space after the \ in your dissect mapping :smiley:

1 Like

Thanks @Badger
It's a quick hack indeed!
I hope this issue will be fixed soon :wink:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.