KV pairs automatically parsed by logstash?

Joe_Martin · March 13, 2024, 5:02pm

I have a device sending syslogs in standard kv pair format; with a comma (,) separating fields and equal (=) separating key from value.
sample:
key1="value1",key2="value2",key3="value3",...

In order to ensure ECS compatibility, I have a kv filter defined with a "target" field set.
In Elastic, I am expecting to only see the kv-parsed fields in the nested field but I am seeing them both at the root AND in the nested field.

Is there some "automatic" parsing that logstash does? If not, why do I see all of these fields at the document root as well as the nested field?

Badger · March 13, 2024, 5:49pm

No, there is not. Your configuration must be parsing them twice or copying them.

Joe_Martin · March 13, 2024, 6:08pm

Perhaps it is the syslog input plugin that is parsing out the kv pairs????
But I have no grok_pattern defined.

Badger · March 13, 2024, 6:17pm

No, the default parsing in a syslog input just parses the timestamp etc.

system · April 10, 2024, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kv plugin behavior Logstash	5	363	October 22, 2018
Can logstash automatically identify KV pairs in the logs and parse them Logstash	1	419	September 6, 2017
Parsing nested key/value pairs with kv Logstash	3	1911	July 6, 2017
Logstash KV filter time field Logstash elastic-stack-monitoring , elastic-stack-security	6	491	August 17, 2021
Parsing an array of KV pairs Logstash	2	495	February 21, 2019

KV pairs automatically parsed by logstash?

Related topics