Hi *,
im currently trying to get along with the dissect filter.
So i have the following example log which i try to parse with dissect:
"a b" 33 c
And my dissect mapping looks like this
mapping => { "message" => ""%{f1}" %{f2} %{f3}" }
What i'm trying to do is to get everything between double quotes in one field (f1).
Are double quotes valid to be used within the mapping part as a delimiter? If yes, how do i implement it?
Kind regards
alex
I'm not familiar with the dissect filter, but perhaps you'll have better luck with this:
mapping => { "message" => '"%{f1}" %{f2} %{f3}' }Hi,
Had the same issue 
and using single quotes did the trick 
Best regards,
Charles.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.