Hello, I am trying to use KV filter for my task. It works almost correctly, but i have one mistake in output result.
Here is the input logs, which i want to analyze:
sid: S-1-5-21-2526317496-1893015908-99665470-1000, bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Windows\system32\, cmd: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy ByPass -File "C:\Program Files\AVAST Software\Avast\setup\UninstallExchange.ps1" "C:\Program Files\AVAST Software\Avast\AsEx.dll"
fileinfo: size: 473600, easize: 0, attr: 0x20, buildtime: 14.07.2009 09:49:07.000
Here is my filter:
filter {
kv {
field_split_pattern => ", "
value_split_pattern => ": "
}
}
So in output i have this:
"sid" => "S-1-5-21-2526317496-1893015908-99665470-1000",
"bitness" => "64",
"ilevel" => "high",
...
"curdir" => "C:\\Windows\\system32\\, cmd: \"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\" -ExecutionPolicy ByPass -File \"C:\\Program Files\\AVAST Software\\Avast\\setup\\UninstallExchange.ps1\" \"C:\\Program Files\\AVAST Software\\Avast\\AsEx.dll\""
Why in field KV filter didn't split before cmd? I have right pattern ", " before.
Please, teel me, what i am doing wrong?