So I have some data which is kv pairs separated by multiple characters, "::" to be precise. This issue: https://github.com/logstash-plugins/logstash-filter-kv/issues/15 shows that the built in kv filter cannot use multi-character key value splits. So I want to split on the first ":" and remove the second from the value field.
Example data:
DATATYPE::SERVICEPERFDATA TIMET::1496348439 HOSTNAME::myhost SERVICEDESC::cpu_load SERVICEPERFDATA::load1=0.010;20.000;30.000;0; load5=0.040;15.000;25.000;0; load15=0.050;10.000;20.000;0; SERVICECHECKCOMMAND::check_cpu_load HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK - load average: 0.01, 0.04, 0.05 HOSTGROUPNAMES::all
Filter outline:
kv { source => "message" field_split => "\t" value_split => ":" exclude_keys => ["type"] } # Remove colons from values, see https://github.com/logstash-plugins/logstash-filter-kv/issues/15 ruby { code => "event.to_hash.each { |k, v| if v.is_a? (String) event.set(k, v[1..-1]) if v.start_with? ':' end}" }
However this code still returns values with the leading ":", any ideas why this is not working. As I said I have tried other similar permutations to this. What am I missing?