exception=>#<CSV::MalformedCSVError: Illegal quoting in line 1.>

Elastic Stack Logstash
1

My config file is:

	{
	stdin{}
	}

filter
{
if  "box_Firewall" not in [program] {

        if [message] =~ /{".*":\s".*",/ {
                                        json { source => "message" }
                                        mutate { add_tag => "json" }                                  
                                 }
        else if [message] =~ /\w+=\w+\s\w+=\w+/ {
                                        kv { source => "message" }
                                        mutate { add_tag => "kv" }
             }
        else {
                csv {
                        source => "message"
                        separator => " "
                    }
                mutate { add_tag => "csv" }
             }
}
else { drop{} }
}

output
{
             stdout{}
}

my entry is:
[ActiveJob] [StorageClusterReplicaVerifierJob] [6f622ec3-0e49-4aba-a5bd-2df8bb83b1aa] Enqueued StorageReplicationVerificationJob (Job ID: aa4386d8-6dac-410d-a954-5f434f749aa2) to Aqueduct(storage_cluster) with arguments: {"oid"=>"73e53d8ceab9a9bf1c395c355dbf60ebf107c438361ca80ff41894f72262b3d3", "hosts"=>["storage-server-6b256858-8802-11eb-85e1-000d3a249d7a", "storage-server-a19d055e-8757-11eb-af0e-000d3aae22c6"]}

When I paste it on the terminal the following error pops up

image
image1864×267 85 KB

The filter part is because I'm expecting several types of logs = key=value, value only and json
Any help would be much appreciated :slight_smile:

2

You data does not match either regexp. It is not words separated by colons, and it is not words separated by equals signs, so it goes through the csv filter. csv fields have to be quoted correctly. The field must start and end with " (if quotes are present at all) and any quotes within the field must be escaped with a second double quote. So something like foo,"a""b""c",bar would be a valid 3 field csv.

You need another branch to your if-else and another filter to parse that data.

3

Awesome @Badger I used dissect and it worked :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.