Key-value split failing on comma in field

e.vedelaar · March 14, 2024, 1:52pm

When ingesting fortigate logs i come across the following error message:

field [syslog5424_sd] does not contain value_split [=]

this occurs because i do KV splits on ",". While this works with most logs, there are a few which are giving errors. One of the logs which is failing contains the following field: srccountry="Korea, Republic of". Because there is an comma in between Korea and Republic of, the pipeline fails.

Is there a way of either ignoring or removing the comma in these fields?

Rios · March 14, 2024, 2:36pm

Before suggest something tested and working, can you put a full message?

There is possibility to handle with:

whitespace => strict
trim_value => '"'
remove_char_value => '"' or "["]"
value_split_pattern -improve split with regex patern
etc.

system · April 11, 2024, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
KV field_split prevents logstash ingesting data Logstash	20	4861	October 18, 2017
KV Plugin take only first key from a split_field Logstash 5.0 Logstash	3	509	July 6, 2017
Issues with kv filtering/ElasticSearch filtering Logstash	4	366	September 4, 2019
How to get kv filter to ignore value_split in data Logstash	3	1646	February 14, 2018
Kv filter value is not always correctly extracted using value_split_pattern Logstash	5	689	December 4, 2018

Key-value split failing on comma in field

Related topics