Kv filter: a number added in the beginning of the field

taraka16 · February 19, 2016, 5:18pm

This is my conf file:

input {
  file {
    start_position => "beginning"
    path => [ "/home/taraka/Projects/neonion/logs/*.log" ]
    type => "syslog"
  }
}

filter{

  multiline {
	    pattern => "\[\#\|\d{4}"
	    negate => true
     what => "previous"
    }
   grok {
    match   =>  [ "message", "(?<highlight_created>(highlight_created))"]
    break_on_match => false
    }
   grok {
    match   =>  [ "message", "(?<highlight_deleted>(highlight_deleted))"]
    break_on_match => false
    } 

   kv {
    source => "message"
    field_split => ","
    value_split => "="
     }
}
output {
  if[type]=="syslog"{
    elasticsearch {host => "localhost"}
    stdout { codec => rubydebug}
  }
}

and the output looks like this:

I need to have the field comment_created without the number beside. How can I do it?

msimos · February 19, 2016, 5:45pm

Hi,

You should first use something like:

       grok {
          match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:logmessage}"]
       }

Then use the following to split on the comma:

kv {
   source => logmessage
   etc...

taraka16 · February 23, 2016, 1:04pm

@msimos Thank you very much! it works!