KV Plugin take only first key from a split_field Logstash 5.0

jattilioz · October 31, 2016, 11:23pm

Hi All,

Trying to work through this issue I am having parsing with KV plugin. My kv pairs are split with "=" and fields are delimited by "|". A small example below.

src=192.168.1.1|dst=192.168.1.2|resource=http://www.hls.com/Delivery/ClientPaths/Library/hook.js?apiKey=1223b2ff-b4ef-4963-9740-46548797|...

` kv {
source => "message"
field_split => "(?<!\)(|)"
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}

`
The problem I am having is KV plugin picks up src, dst and resource, but also apiKey and any others where "=" exists. I want the resource value in its entirety and not broken up. I do not want to take the route of using include_keys as more logs with different keys could be added in the future.

Any idea how to ignore the other "=" in a field like the resource example?

Christian_Dahlqvist · November 1, 2016, 3:52am

I do not understand your field_split configuration. Have you tried with something like this: field_split => "\s*|\s*" ?

jattilioz · November 1, 2016, 6:13pm

I will try this out, the current field split was used to match only "|" instead of occasional "|" (which I also do not want to split as | does not indicate a new field) appearing in the logs. Essentially split on "|" when not lead by a "". Maybe this could be causing issues.

As of right now, it splits key/values correctly unless an extra "=" is in the split field like the case of resource.