Kv filter

Pola · October 2, 2017, 4:47pm

Hi,

I am trying to filter key values from 'message' field

"message": "<188>Oct 2 16:17:39.000 68.85.2.39 alarm[1318]: Alarm set: License color=YELLOW, class=SECOND, reason=Protocol usage requires a license\n"

I wanted to filter to:

color=YELLOW
class=SECOND
reason=Protocol usage requires a license

Below is KV that i used and i could able to filter class and reason but not color. Any suggestions are greatly welcome.
kv {
source => "message"
field_split => ","
value_split => "="
trim_key => " \t"
include_keys => [ "color", "class", "reason" ]
trim_value => ",\t"

Christian_Dahlqvist · October 2, 2017, 4:53pm

Use a grok filter to capture the various parts of the message into separate fields. Once you have the part that contains the kv list in a field, apply the kv filter just to that.

system · October 30, 2017, 4:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.