Help on case sensitive kv plugin

Im using the kv plugin to extract some values from syslog messages such as From, to, call-ID, etc. Problem is that some logs come in capitalized and others don't and from what I can tell kv are case sensitive, any suggestions to solve this? here is the section of the code im using now

  kv{
	include_keys => ["Contact", "To", "From", "Call-ID"]                           # take syslog_message & look for keyvalues followed by ":" and parce them out
	source => "syslog_message"
	value_split => ":"
  }

Can't you just list both "Call-ID" and "call-ID" in include_keys?

but when I do a search I would have to do two searches which is not ideal

Sure, but you could rename the fields after the kv filter so the naming is consistent.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.