Ingest Pipeline KV processor pattern failures

nmoham · June 18, 2020, 4:03am

Trying to parse syslogs with several KV pairs . The values contain special characters & spaces.

Examples Events-

sev="INFO" msg="Audit access" cat="\[AUDIT\]" pol="ENC104456DB_SQL_Operational" uinfo="SQLService\\UnPriviligedServices,GRP_Jenkins_Build,SG_DBSvcAccts_Rstrct...\\DCO,dco.elmae" sproc="D:\\Program Files\\Microsoft SQL Server\\MSSQL10_50.ENC104456DB\\MSSQL\\Binn\\sqlservr.exe" act="read_file" gp="f:\\mssql_data" filePath="\\ENC79.mdf:MSSQL_DBCC7" key="None" denyStr="PERMIT" showStr="Code (1A,2M)"
 
sev="INFO" msg="Event" event="Guardpath \\\\bnk11701fs\\bnk11701\\BE6789\\encdata\\Patth is not valid - will not guard (reason: Invalid Guard Path)!"
 
sev="ERROR" msg="failed to contact host" shost="syslogserver" nexttime="Tue Jun 16 05:12:05 PDT 2020"

Here's my KV processor -

  "kv": {
    "field": "syslog_message",
    "field_split": """\s(?![-_,:()\w\" ]+?(\s+|\d+|[,_\.]+|$))""",
    "value_split": """(?<!\\\s-:)=""",
    "strip_brackets": true,
    "ignore_failure": true,
    "ignore_missing": true
  }

really appreciate any help with this.

nmoham · June 18, 2020, 4:36am

I managed to get the first & third pattern working with KV processor , but the second one still fails.

nmoham · June 18, 2020, 4:59pm

got it working finally -

{
  "kv": {
    "field": "syslog_message",
    "field_split": """\s(?![-_,:()\w\"\\! ]+?(\s+|\d+|[,_\.]+|$))""",
    "value_split": """(?<!\\)=""",
    "ignore_failure": true,
    "ignore_missing": true
  }
      }

system · July 16, 2020, 4:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.