KV filter don't split on field_split_pattern once

Elastic Stack Logstash
1

Hello, I am trying to use KV filter for my task. It works almost correctly, but i have one mistake in output result.
Here is the input logs, which i want to analyze:

sid: S-1-5-21-2526317496-1893015908-99665470-1000, bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
  curdir: C:\Windows\system32\, cmd: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy ByPass -File "C:\Program Files\AVAST Software\Avast\setup\UninstallExchange.ps1" "C:\Program Files\AVAST Software\Avast\AsEx.dll"
  fileinfo: size: 473600, easize: 0, attr: 0x20, buildtime: 14.07.2009 09:49:07.000

Here is my filter:

filter {
  kv {
    field_split_pattern => ", "
    value_split_pattern => ": "
  }
}

So in output i have this:

"sid" => "S-1-5-21-2526317496-1893015908-99665470-1000",
"bitness" => "64",
"ilevel" => "high",
...
"curdir" => "C:\\Windows\\system32\\, cmd: \"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\" -ExecutionPolicy ByPass -File \"C:\\Program Files\\AVAST Software\\Avast\\setup\\UninstallExchange.ps1\" \"C:\\Program Files\\AVAST Software\\Avast\\AsEx.dll\""

Why in field KV filter didn't split before cmd? I have right pattern ", " before.
Please, teel me, what i am doing wrong?

2

Please either blockquote your text using </> in the toolbar above the editing panel, or precede and follow it with lines containing three backticks ```

3

Of course, I am sorry. Fixed.

4

The lack of quotes around the value of curdir (which contains a colon) is confusing the parser. For this specific example you can fix it using

mutate { gsub => [ "message", "(curdir: )([^,]+),", '\1"\2",' ] }
5

Really, it's works. Thank you very much.
I could not even think, that problem is in colon.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.