My log line has a field with "[reasonPhrase : Internal Server Error]" as value. I need to extract the reasonPhrase field and value as Internal Server Error.
But with the current filter or the default kv filter, only Internal is extracted.
This is my filter -
Also, is it possible to include spaces in selected fields only ? i.e. I want space to be included in reasonPhrase only and not in content.
If I don't make any mistake, it due to the fact that, by default, field_split in kv filter is set to space. So it only considers the 1st word as value.
Try maybe not to remove ] and set it as separator or something else (depending on how your whole log line looks like)
Thanks for the reply Nico.
This is what my log looks like.
EventId : 1, Level : Informational, Message : , Payload : [id : b6c286ed-7f12-497a-b7ef-18a19404675a] [ipAddress : 111.11.111.123] [method : GET] [requestUri : http://server2:8080/MyService/api/healthcheck] [content : ] , EventName : RequestInfo, Timestamp : 2017-01-16T06:00:43.1780011Z, ProcessId : 2288, ThreadId : 5588
EventId : 3, Level : Informational, Message : , Payload : [id : b6c286ed-7f12-497a-b7ef-18a19404675a] [headers : Connection: Keep-Alive Accept-Encoding: gzip, deflate Host: server2:8080 User-Agent: Manticore 0.5.5 CallerANI: 123-123-1234 CallID: 431-431-4311 ClientID: MyClientID OperationID: OperationID ProcessStepID: ProcessStepID ServerIPAddress: 123.123.123.123 TFN: 1-800-ABCD ] , EventName : RequestInfo, Timestamp : 2017-01-16T06:00:43.1780803Z, ProcessId : 2288, ThreadId : 5588
EventId : 2, Level : Informational, Message : , Payload : [id : b6c286ed-7f12-497a-b7ef-18a19404675a] [reasonPhrase : OK] [content : {"configuration":"Dev","now":"2017-01-16T06:00:42.7792925Z"}] , EventName : ResponseInfo, Timestamp : 2017-01-16T06:00:43.1785513Z, ProcessId : 2288, ThreadId : 5588
And I need to extract values - Method, ReasonPhrase....ID
Let me know how should I update my filter.
You want to use kv for your whole line or only for Payload event?
Yes. Becoz I need to extract only few values not all. i.e. method, reasonPhrase, RequestUri, Content, ClientID and ID fields only.
Any update on this please ?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
