Good afternoon. I am trying to use KVP to separate the key value pair in my "Message" field.
"{"EventTime":"2019-01-07 18:20:42.826361Z","Hostname":"186590cbd0f7","Message":"EPS: 99","EventReceivedTime":"2019-01-07 18:20:42.826373Z","isServer":"False","esmVersion":"1.6.9","esmType":"metric"}"
I have tried
filter {
kv {
source => 'Message'
target => 'EPS'
value_split => ": "
field_split => ": "
}
}
This results in:
{"host":"186590cbd0f7","@timestamp":"2019-01-07T19:06:14.014Z","message":"{EventTime:2019-01-07 18:20:42.826361Z,Hostname:186590cbd0f7,Message:EPS: 99,EventReceivedTime:2019-01-07 18:20:42.826373Z,isServer:False,esmVersion:1.6.9,esmType:metric}","@version":"1","path":"/tmp/testfile"}
Which shows the KV working somewhat but on the message field not the Message field
What I am trying to do is pull out Message: EPS: <some_value> to EPS:<some_value>`
Badger
January 7, 2019, 8:31pm
2
If that really is the input line then I would strip off the outmost quotes and parse it as JSON to get a Message field.
filter { mutate { gsub => [ "message", '(^"|"$)', '' ] } }
filter { json { source => "message" } }
filter { kv { source => "Message" value_split => ":" } }
which will get you
"esmType" => "metric",
"EventTime" => "2019-01-07 18:20:42.826361Z",
"Message" => "EPS: 99",
"message" => "{\"EventTime\":\"2019-01-07 18:20:42.826361Z\",\"Hostname\":\"186590cbd0f7\",\"Message\":\"EPS: 99\",\"EventReceivedTime\":\"2019-01-07 18:20:42.826373Z\",\"isServer\":\"False\",\"esmVersion\":\"1.6.9\",\"esmType\":\"metric\"}",
"isServer" => "False",
"EPS" => "99",
"esmVersion" => "1.6.9",
"Hostname" => "186590cbd0f7",
"EventReceivedTime" => "2019-01-07 18:20:42.826373Z"
system
February 4, 2019, 8:35pm
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.