Key-value split failing on comma in field

e.vedelaar · March 14, 2024, 1:52pm

When ingesting fortigate logs i come across the following error message:

field [syslog5424_sd] does not contain value_split [=]

this occurs because i do KV splits on ",". While this works with most logs, there are a few which are giving errors. One of the logs which is failing contains the following field: srccountry="Korea, Republic of". Because there is an comma in between Korea and Republic of, the pipeline fails.

Is there a way of either ignoring or removing the comma in these fields?

Rios · March 14, 2024, 2:36pm

Before suggest something tested and working, can you put a full message?

There is possibility to handle with:

whitespace => strict
trim_value => '"'
remove_char_value => '"' or "["]"
value_split_pattern -improve split with regex patern
etc.

system · April 11, 2024, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.