Hi,
I have incoming messages with the format:
key1=5 key2='value 2' key3=value
(many values, dynamic)
...and I'm using the KV filter to extract the key value pairs, which works as expected.
Now I also have incoming messages which are standard text messages and I want to detect these in Logstash. Do you have any hint how I can achieve this (ruby, regex)?
Use a regex conditional block to apply a the KV section and the regular text gets processed in the else block.
https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals
Example:
if [message] =~ /(\w+=(("\w+\s+(\w+)?")|('\w+\s+(\w+)?')|\w+)\s){2,}/ {
# must have at least 2 KV like sections
} else {
# might have one section that looks like KV but is not
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.