Issues with kv filtering/ElasticSearch filtering

jshepheard · August 6, 2019, 1:26pm

Hello.
I am having a strange issue with ELK stack which I am struggling to get my head around. (ElasticSearch 6.5).

My logstash config contains:

kv {
 field_split => ", "
 value_split => "="
}

which is working fine, however, one field which has a space in it isn't quite working correctly.

an example message (unfiltered) contains device=First Second (data sanatized) - but in the filtered field of device, it shows as device=First and hasn't got the second part of the string.

The mapping type for this field in paticular is:

       "device" : {
           "type" : "keyword"
         },

So I believe that is correct. Can anybody help?
Thank you in advance.

Badger · August 6, 2019, 1:44pm

So fields are separated by either comma or space, which means Second is a field with no value, so it does not get stored.

jshepheard · August 7, 2019, 6:04am

Thank you @Badger.

I did some more investigation and noted that the fields are splitting on both ", " or " " or ",".

Do you know of a way I can explicitly say, only split on ", "?

Thank you in advance.

Jenni · August 7, 2019, 9:18am

You need to change field_split to field_split_pattern.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html#plugins-filters-kv-field_split_pattern

system · September 4, 2019, 9:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to set Kv filter plugin to keep spaces in value Logstash	1	1210	February 24, 2017
KV field_split prevents logstash ingesting data Logstash	20	5001	October 18, 2017
How to extract and transform unstructured data into fields Logstash	6	849	August 3, 2017
How to Split the one field into multiple fields using kv plugins Logstash	5	2688	April 11, 2019
Logstash km filter issue Logstash	2	349	October 30, 2018

Issues with kv filtering/ElasticSearch filtering

Related topics