KV filter to display null keys

nilsb · September 7, 2018, 8:15pm

Hi experts,
I am completely new to Logstash and started using logstash 6.4.0 a day before

Problem statement:
I am trying to parse an application log using kv filter. The separator within the log line is tilde "~". I am able to get the key-value pairs for the not-null fields, but the null fields are getting ignored by the filter.

Example:
Sample Logline:
2018-09-06 16:51:16.337 INFO (THREAD-438) system_monitor : - LogTypeID=SAMPLELOG~RespCd=SAMPLE RESPONSE~MsgID=123456~HostNm=~SysTs=2018-09-06T16:51:16.312-07:00~AppID=SAMPLE~OrigCtyCd=~UPID=~PaySplitSeqNo=~AllocSeqNo=~AppServNmVr=Notify~PayTpChCd=~Amt=0~Curr=~SplitAmt=0~SplitCurr=~EventID="

Observation:
The split is happening as follows:
2018-09-06 16:51:16.337 INFO (THREAD-438) system_monitor : - LogTypeID=SAMPLELOG
RespCd=SAMPLE RESPONSE
MsgID=123456
....

But the following keys are gettting ignored (as they don't have a value associated) and not showing up:
OrigCtyCd
UPID
EventID
...

Please advise if there is way to display the NULL fields too?
regards..

yaauie · September 7, 2018, 10:23pm

That's not currently an option, but I just opened up a pull-request on the project to make it be one, so there's a good chance we'll be able to address your need soon.

The one caveat is: when this is enabled, the empty fields captured in this way will be zero-length strings, not null.

system · October 5, 2018, 10:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.