Kv filter's behavior when square brackets in log data

Pranav1 · July 17, 2017, 8:35am

In logstash I am using the following filter-

filter {
kv {
field_split => "\t"
}
}

So here I am using tab as field split and the value split I have kept default (i.e. '=')

Now I am sending a log like this-

animal=cat fruit=[apple]banana

where there is a tab between cat and fruit.

This is producing the filtered output as-

{
"animal": "cat"
"fruit": "apple"
"message": "animal=cat\tfruit=[apple]banana"
}

But I was expecting - "fruit": "[apple]banana".

Also then if I send a log like this-

animal=cat fruit=[apple]banana=healthy

where tab is only between cat and fruit
then the output produced is -

{
"banana" : "healthy"
"animal": "cat"
"fruit": "apple"
"message": "animal=cat\tfriut=[apple]banana=healthy"
}

But here I was expecting - "fruit": "[apple]banana=healthy" and no separate key as 'banana'.

Is this a bug or am I missing something here?

jsvd · July 21, 2017, 4:01pm

The kv filter works with many many regular expressions, and characteres like [|]<> can severely interfere with how the plugin works. There are even options to remove these characters if you know in advance they appear in the data

I suggest maybe using mutate gsub operations to make the text string more uniform so that the kv filter doesn't have to guess (and make the wrong decisions).

system · August 18, 2017, 4:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
KV filter is unable to handle = within a key value Logstash	6	1278	November 14, 2017
Kv filter value is not always correctly extracted using value_split_pattern Logstash	5	691	December 4, 2018
KV Pair Filter with empty values - Logstash 6.2.3 Logstash	1	436	May 11, 2018
KV Filtering data between square brackets Logstash	7	1824	May 1, 2018
Question on kv filter Logstash	2	263	January 31, 2023

Kv filter's behavior when square brackets in log data

Related topics