Kv filter with empty value

sebGA · December 3, 2015, 9:38am

Hi,

When using the logstash kv filter with default parameters ( kv { } ), i have problem when parsing a message with empty values.
See the following examples. The result in the first one is not good as the value associated with the intf_out key is the following key/value pair.

Example 1 (NOK):
Source message : "intf_in=eth0-996 intf_out= pkt_len=48"
kv filter result :

intf _in: eth0-996
intf_out: pkt_len=48

Example 2 (OK):
Source message : "intf_in=eth1 intf_out=eth4 pkt_len=48"
kv filter result :

intf _in: eth0-996
intf_out: eth4
pkt_len: 48

Is there an option for this filter that could help in getting a correct result (null value or empty value or not creating the key if value is empty) ?

Thanks

magnusbaeck · December 3, 2015, 9:44am

I think the kv filter requires values to be non-empty. Perhaps you could use the mutate filter's gsub option to replace "= " with "=xxx" and use "xxx" (whatever you choose) to indicate that the key was empty?

sebGA · December 3, 2015, 10:21am

It works great.
Quick and efficient answer, what else ?

Thanks a lot magnusbaeck.