KV filter in logstash 7.2.0 doesn't store a key having empty value

Elastic Stack Logstash
1

Hi
I am trying to parse a log in the following format

2018-12-18 19:50:37 SNID:1|CTI:1105154514|SL:20|SMS:706C73|SMSC:1|PSI_RF:00|SRCIP:172.25.25.119|DESTIP:|SN:|DN:

i am using KV filter plugin to get it done, but i am getting issue that the keys having no values are getting skipped and not getting parsed. Please help

i am using the following code :

grok{
match=>{
"message"=>"%{TIMESTAMP_ISO8601:dateTime}\s+{GREEDYDATA:CDR_Body}"
}
}
grok{
match=>{"dateTime" => "%{DATE:date} %{TIME:time}"}
}
kv{
source => "CDR_Body"
value_split => ":"
field_split => "|"
remove_field => ["dateTime"]
remove_field => ["message"]
}

2

This is working as designed. (Looking at the test cases for the PR that introduced the 'whitespace' option they verify that empty fields are not captured.)

If you know what the fields are called you might be able to use the default_keys option to supply values for those fields.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.