KV pairs automatically parsed by logstash?

Joe_Martin · March 13, 2024, 5:02pm

I have a device sending syslogs in standard kv pair format; with a comma (,) separating fields and equal (=) separating key from value.
sample:
key1="value1",key2="value2",key3="value3",...

In order to ensure ECS compatibility, I have a kv filter defined with a "target" field set.
In Elastic, I am expecting to only see the kv-parsed fields in the nested field but I am seeing them both at the root AND in the nested field.

Is there some "automatic" parsing that logstash does? If not, why do I see all of these fields at the document root as well as the nested field?

Badger · March 13, 2024, 5:49pm

No, there is not. Your configuration must be parsing them twice or copying them.

Joe_Martin · March 13, 2024, 6:08pm

Perhaps it is the syslog input plugin that is parsing out the kv pairs????
But I have no grok_pattern defined.

Badger · March 13, 2024, 6:17pm

No, the default parsing in a syslog input just parses the timestamp etc.

system · April 10, 2024, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.