KV Filter Pattern Usage

cappy · March 26, 2018, 6:11pm

Using the latest KV filter plugin (4.1.0)...

I'm trying to use the KV filter to parse a log formatted like the following:

Protocol: TCP, SrcIP: 192.168.1.1

and so on... (the main idea here is that the key/values are separated by colon+space and fields are separate by comma+space

I've tried the following:

filter {
   if [log_header] =~ "desired_value" {
     mutate {
      add_tag => [ "blah" ]
    }
    kv {
      value_split_pattern => ": "
      field_split_pattern => ", "
    }
  }
}

I've also tried the following for the value_split_pattern and field_split_pattern:

value_split_pattern => ":\s"
field_split_pattern => ",\s"

...however, the logs never make it into ES, and just stay in the queue.

If I remark the KV part and just let the log go in tagged, it works fine (unparsed, of course).

I have both PQ and DLQ enabled, and dead letter does not show a failure -- again, the log just stays in the queue forever.

Any thoughts?

Thanks,
Cappy

system · April 23, 2018, 6:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
KV plugin filter not working Logstash	5	880	June 27, 2018
KV Plugin Not working Logstash	9	674	August 27, 2019
Kv filter's behavior when square brackets in log data Logstash	2	1178	August 18, 2017
Kv filter value is not always correctly extracted using value_split_pattern Logstash	5	689	December 4, 2018
Question on kv filter Logstash	2	263	January 31, 2023

KV Filter Pattern Usage

Related Topics