Using the latest KV filter plugin (4.1.0)...
I'm trying to use the KV filter to parse a log formatted like the following:
Protocol: TCP, SrcIP: 192.168.1.1
and so on... (the main idea here is that the key/values are separated by colon+space and fields are separate by comma+space
I've tried the following:
filter {
if [log_header] =~ "desired_value" {
mutate {
add_tag => [ "blah" ]
}
kv {
value_split_pattern => ": "
field_split_pattern => ", "
}
}
}
I've also tried the following for the value_split_pattern and field_split_pattern:
value_split_pattern => ":\s"
field_split_pattern => ",\s"
...however, the logs never make it into ES, and just stay in the queue.
If I remark the KV part and just let the log go in tagged, it works fine (unparsed, of course).
I have both PQ and DLQ enabled, and dead letter does not show a failure -- again, the log just stays in the queue forever.
Any thoughts?
Thanks,
Cappy