Kv filter value is not always correctly extracted using value_split_pattern

CaptainAye · October 30, 2018, 9:36am

Hello,

I have a problem extracting values using kv filter. I would like to extract the values which are seperated from key by the spaces or by the equal signs. My configuration looks like that:

		kv {
			include_keys => [ "key1", "key2", "key3", "key4"]
			include_brackets => true
			source => "message"
			value_split_pattern => "\s=?\s?"
		}

The key value pairs like:

key1 <value1>
key2 = value2

Are correctly extracted in the elasticsearch but the value like:

key3 = <value3>

Are not extracted at all. I expected it to be extracted without the angle brackets, as include_brackets option is set to true.

Is there some problem with the configuration I am not aware of or is it a problem with kv filter?

tamara · October 31, 2018, 10:33pm

Hi,

I am trying to replicate your problem and I can not find the issue, which version of logstash are you using?

Logstash version 6.4.2 works just fine with this kv configuration.

CaptainAye · November 4, 2018, 8:11pm

Hi,
Thanks for your reply. I used Logstash 6.4.0 for that task - I'll check with 6.4.2 and I'll be back with the answer if the problem still exists or not.

CaptainAye · November 6, 2018, 6:25am

kv filter works fine with logstash 6.4.2 - the issue must have been fixed halfway from 6.4.0.

tamara · November 6, 2018, 5:57pm

Great, glad to hear that the problem was solved.

system · December 4, 2018, 5:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.