I'm parsing custom logs. Here's a snippet:
18.7.2012 9:05:57\t|C3|date=18.07.2012 09:05:57|acronym=BS|... |firstsignUpDate=30.07.2007|bibl001c=m|biblUDK675s=(038)33=111=163.6|....
My second (first one ist just mutate/gsub just to change C3 => cir=C3) filter applied is KV
kv {
field_split => "|"
}
This works fine, until my field containts multiples '=', for example biblUDK675s=(038)33=111=163.6.
I've thought that after splitting with '|' only the part before first = should be taken as key.
Is there any option to tell KV that biblUDK675s is the key and (038)33=111=163.6 is the value?
This one is solved, if I apply:
include_brackets => false
But if I use a diffrent string:
18.7.2012 9:05:57\t|C3|date=18.07.2012 09:05:57|acronym=BS|… |firstsignUpDate=30.07.2007|bibl001c=m|biblUDK675s=test AU =fgdgd|…
Then it returns:
biblUDK675s=test
AU=fgdgd
But I explicitly applied that field split is "|", why does he uses a fall back?
In first example, after including brackets, it returned correct, because there was no space.
Got no answer here and nothing on KV Github.
I've fixed this using ruby code, and wrote my own filter.
If it helps somebody:
ruby {
code => "
a = event.get('message').split('|').delete_if{|x| !x.match(/=/)}
a.each {|y| b = y.split('=', 2)
event.set(b[0].strip, b[1])
}"
}