Key value pair

Elastic Stack Logstash
1

Good afternoon. I am trying to use KVP to separate the key value pair in my "Message" field.

"{"EventTime":"2019-01-07 18:20:42.826361Z","Hostname":"186590cbd0f7","Message":"EPS: 99","EventReceivedTime":"2019-01-07 18:20:42.826373Z","isServer":"False","esmVersion":"1.6.9","esmType":"metric"}"

I have tried

filter {
  kv {
    source => 'Message'
    target => 'EPS'
    value_split => ": "
    field_split => ": "
  }
}

This results in:

{"host":"186590cbd0f7","@timestamp":"2019-01-07T19:06:14.014Z","message":"{EventTime:2019-01-07 18:20:42.826361Z,Hostname:186590cbd0f7,Message:EPS: 99,EventReceivedTime:2019-01-07 18:20:42.826373Z,isServer:False,esmVersion:1.6.9,esmType:metric}","@version":"1","path":"/tmp/testfile"}

Which shows the KV working somewhat but on the message field not the Message field

What I am trying to do is pull out Message: EPS: <some_value> to EPS:<some_value>`

2

If that really is the input line then I would strip off the outmost quotes and parse it as JSON to get a Message field.

filter { mutate { gsub => [ "message", '(^"|"$)', '' ] } }
filter { json { source => "message" } }
filter { kv { source => "Message" value_split => ":" } }

which will get you

          "esmType" => "metric",
        "EventTime" => "2019-01-07 18:20:42.826361Z",
          "Message" => "EPS: 99",
          "message" => "{\"EventTime\":\"2019-01-07 18:20:42.826361Z\",\"Hostname\":\"186590cbd0f7\",\"Message\":\"EPS: 99\",\"EventReceivedTime\":\"2019-01-07 18:20:42.826373Z\",\"isServer\":\"False\",\"esmVersion\":\"1.6.9\",\"esmType\":\"metric\"}",
         "isServer" => "False",
              "EPS" => "99",
       "esmVersion" => "1.6.9",
         "Hostname" => "186590cbd0f7",
"EventReceivedTime" => "2019-01-07 18:20:42.826373Z"