Grok pattern

Hi Team,

I need to ingest the below log file, and i required all the fields without pipe. In order to create visualization and dashboards for the same. kindly any one please help, how to split the fields with this log event.

time=1666400383|hostname=XXXXXX|product=Firewall|layer_name=GLOABAL|layer_uuid=f978f8cb-69e7-4f2b-a4ef-ed3e6bbded54|match_id=143|parent_rule=0|rule_action=Accept|rule_name=95.49_..|rule_uid=6541202c-dfbb-4c4e-8c27-d10d63c55f0d|action=Accept|conn_direction=Outgoing|ifdir=inbound|ifname=bond3.3533|logid=0|loguid={0x685b2ca2,0x533605dd,0x4f6aaf1b,0xf009f746}|origin=10.174.129.129|sequencenum=538|time=1666400383|version=5|__policy_id_tag=product=VPN-1 & FireWall-1db_tag={1586140B-88A8-014F-A33B-6599BBD71827}|mgmt=usfwtamer01|date=1666357943|policy_name=AMERICAS-GDC-EXT|dst=149.154.167.51|lastupdatetime=1666400383|log_delay=1666400383|member_id=1_2|nat_addtnl_rulenum=0|nat_rule_uid=e7099cb0-b0ba-421a-91a3-b2990dee6e7d|nat_rulenum=1668|proto=6|s_port=51939|service=443|service_id=gTCP-Groove-443|src=10.112.195.14|xlatedport=0|xlatedst=0.0.0.0|xlatesport=45957|xlatesrc=199.49.20.51

You do not need to use grok with this, you need to use the kv filter and configure the field split to use the pipe character.

This filter will parse your message.

  kv {
    source => "message"
    field_split => "|"
    value_split => "="
  }

Ok Thanks for your prompt response.

Do we need to install kV filter or will it be available by default. Am using logstash 7.16.3 version on RHEL 7 OS . Let me know, how to install the plugin if required additionally.

it seems to me that the kv plugin is installed by default.

@leandrojmp Thank you very much..it got worked.

If I need the fields specifically, for example "product" and "version" fields. what will be the best approach?

time=5666373355|hostname=uspilrapfwmlog5|product=System Monitor|ifdir=inbound|ifname=daemon|loguid={0x6355d6e9,0x0,0x8585ae0a,0x55955755}|origin=50.575.58.538|sequencenum=5|time=5666373355|version=5|sys_message:=installed defaultfilter