Kv - Drop messages that doesnt match

PeterH · July 10, 2019, 12:11pm

Hi,

i want to split up messages with that format with the kv filter plugin:
"key1": "value1", "key2": "value2", "key3": "value3"

This is my kv config:
kv {
trim_value => """
trim_key => ""\ ()"
field_split => ","
value_split => ":"
}

Now I want to define that ervery message which cannot be parsed by the kv plugin will be dropped. I tried that from Github:
if "_kv_filter_error" in [tags] {
drop { }
}

But unfortunately when nothing matched this tag will not assigned.

Has anybode an idea how to achive that?

Thank you!

Badger · July 10, 2019, 1:55pm

The _kv_filter_error tag is only applied if an exception is caught by the kv filter. It can fail without raising an exception.

Perhaps you can check for a match against a regexp to decide whether the message has the right format?

PeterH · July 10, 2019, 2:20pm

Okay.
How can i implement a standard regex? Or do I have to use a grok filter for that?

Badger · July 10, 2019, 2:35pm

Something like this:

    if [message] =~ /^\s*"[^"]+"\s*:\s*"[^"]+",\s*"[^"]+"\s*:\s*"[^"]+",\s*"[^"]+"\s*:\s*"[^"]+"\s*$/ {
        #Do something
    }

system · August 7, 2019, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kv filtering problem Logstash	9	434	December 4, 2019
Need help to exlcude messages which are not having kv pair Logstash	3	287	June 8, 2020
KV Plugin Not working Logstash	9	674	August 27, 2019
KV filter: Detect malformed messages Logstash	2	328	February 27, 2019
KV plugin filter not working Logstash	5	880	June 27, 2018

Kv - Drop messages that doesnt match

Related topics