I am expecting the KV filter to accept \ as an escape characters so that the value is encapsulated by the non escaped quotation marks but it seems that the kv seperator process kicks in before the kv value is read completely.
This is normal behaviour like in Java (String.split(" ")) or PHP (explode(" ", String)).
So you split your string by " " and after that in this parts you split it again on "=" to determine the key and the value part.
It just trimmed your " away because you have include_brackets enabled. KV Man - Include brackets
This is how I understand this, the developer of KV can have other views on this.
So Logstash keeps the brackets and Elasticsearch takes them away so I never see them. This also explains that when there is nothing in the field Logstash sends it as key="" and in this case Elasticsearch does not strip them away and stores the value as ""
Sometimes the Logstash documentation really needs more examples.
Logstash aka KV filter takes the brackets away.
But this option is confusing. Because if include_brackets it's enabled it
will trim the brackets away.
I was wrong with the part of trimming the " away.
Because include_brackets only trim away brackets ()[]{}...
I'm wondering if with brackets option enabled you could split by " " and preserve the string as one value.
I've wrote my own splitter in ruby, so I won't test this.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.