dissect { mapping => { "message" => "%{ts} %{+ts} [%{thread}] %{loglevel} %{someField}{%{[@metadata][kvData]}}%{}" } }
kv {
source => "[@metadata][kvData]"
field_split_pattern => ", "
}
I changed the dissect to pull out the data between AuthenticationEvent{ and } into a separate field. That will result in
"someField" => "c.c.d.c.s.a.UserAuthenticationListener - User logged in: AuthenticationEvent",
"userName" => "username",
"loglevel" => "INFO",
"action" => "LOGIN",
"userAgent" => "Chrome",
"userAgentVersion" => "58.0.3029.110",
"productPermissions" => "bsg,rdm,dsm,catalog,helpdesk,policymanager,datadictionary,admin",
"licenseType" => "CONSUMER",
"failureReason" => "null",
"timeout" => "1800000",
"remoteHost" => "10.251.35.112",
"timestamp" => "1592919002568",
"sessionId" => "-303021888",
"thread" => "https-jsse-nio-0.0.0.0-8443-exec-58",
"ts" => "2020-06-23 15:30:02.568"