Kv filter with empty value

sebGA · December 3, 2015, 9:38am

Hi,

When using the logstash kv filter with default parameters ( kv { } ), i have problem when parsing a message with empty values.
See the following examples. The result in the first one is not good as the value associated with the intf_out key is the following key/value pair.

Example 1 (NOK):
Source message : "intf_in=eth0-996 intf_out= pkt_len=48"
kv filter result :

intf _in: eth0-996
intf_out: pkt_len=48

Example 2 (OK):
Source message : "intf_in=eth1 intf_out=eth4 pkt_len=48"
kv filter result :

intf _in: eth0-996
intf_out: eth4
pkt_len: 48

Is there an option for this filter that could help in getting a correct result (null value or empty value or not creating the key if value is empty) ?

Thanks

magnusbaeck · December 3, 2015, 9:44am

I think the kv filter requires values to be non-empty. Perhaps you could use the mutate filter's gsub option to replace "= " with "=xxx" and use "xxx" (whatever you choose) to indicate that the key was empty?

sebGA · December 3, 2015, 10:21am

It works great.
Quick and efficient answer, what else ?

Thanks a lot magnusbaeck.

Topic		Replies	Views
Kv filter: empty value after key yields strange behavior Logstash	7	2805	September 5, 2018
KV Pair Filter with empty values - Logstash 6.2.3 Logstash	1	436	May 11, 2018
Problem with kv filter and empty value Logstash	1	792	July 6, 2017
KV filter in logstash 7.2.0 doesn't store a key having empty value Logstash	2	449	August 30, 2019
Fields splitting from kv filter not containing blank values Logstash	3	383	January 9, 2020

Kv filter with empty value

Related topics