How to handle '=' in values, splitting on | but KV takes over all '=' not only the first

Elastic Stack Logstash
1

I'm parsing custom logs. Here's a snippet:
18.7.2012 9:05:57\t|C3|date=18.07.2012 09:05:57|acronym=BS|... |firstsignUpDate=30.07.2007|bibl001c=m|biblUDK675s=(038)33=111=163.6|....

My second (first one ist just mutate/gsub just to change C3 => cir=C3) filter applied is KV

kv {
	field_split => "|"
}

This works fine, until my field containts multiples '=', for example biblUDK675s=(038)33=111=163.6.
I've thought that after splitting with '|' only the part before first = should be taken as key.
Is there any option to tell KV that biblUDK675s is the key and (038)33=111=163.6 is the value?

2

This one is solved, if I apply:

include_brackets => false

But if I use a diffrent string:
18.7.2012 9:05:57\t|C3|date=18.07.2012 09:05:57|acronym=BS|… |firstsignUpDate=30.07.2007|bibl001c=m|biblUDK675s=test AU =fgdgd|…

Then it returns:
biblUDK675s=test
AU=fgdgd

But I explicitly applied that field split is "|", why does he uses a fall back?
In first example, after including brackets, it returned correct, because there was no space.

3

Got no answer here and nothing on KV Github.

I've fixed this using ruby code, and wrote my own filter.
If it helps somebody:

ruby {
		code => "
			a = event.get('message').split('|').delete_if{|x| !x.match(/=/)}
			a.each {|y| b = y.split('=', 2)
				event.set(b[0].strip, b[1])
			}"
	}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.